In February and March, 2023 it was reported that Flutterwave, a fintech was hacked and customer funds, amounting to over N2.9 billion, held in Flutterwave accounts, were illegally transferred to several bank accounts in Nigeria. Flutterwave submitted a petition to the Nigeria Police concerning the hack and illegal transfer and based on the petition, the Police brought an application to freeze accounts in 27 financial institutions in Nigeria where some of the funds were transferred to and the court granted the application. In the affidavit in support of the application to freeze accounts, the Investigating Police Officer; Inspector Adebowale Michael deposed or swore in paragraphs 1, 3 and 4 as follows:
“(1) That am the above-named person as well as the investigating police officer in a case of Conspiracy and fraudulent transfer reported by Flutterwave Technology Solution Limited through his counsel Albert Onimole, legal practitioner by virtue of which I am conversant with the fact of this case.
(3) That a case of Conspiracy and Fraudulent transfer was reported to the Police via petition written by Albert Onimole & Co. on behalf of Flutterwave Technology Solution Limited bothering on allegation of Conspiracy, stealing and fraudulent transfer over Two billion naira having hacked into the complainant account. Copy of the Petition is hereby attached and marked exhibit ‘A’.
(4) That it was revealed in the course of investigation that the suspected hackers hacked into the cyber space of the complainant and transferred over two billion naira to various accounts listed on this application. Copy of the statement of the Complainant is hereby attached and marked exhibit ‘B’.”
Flutterwave in its official statement, said; “During a routine check of our transaction monitoring system, we identified an unusual trend of transactions on some users’ profiles. Our team immediately launched a review (in line with our standard operating procedure), which revealed that some users who had not activated some of our recommended security settings might have been susceptible.” However, the fintech flatly denied that any user lost any funds, as its security measures were “able to address the issue before any harm could be done to our users”.
This denial is in stark contrast to the contents of the petition and affidavit earlier mentioned. If no user funds were lost, how come there was a petition to the police and an application to freeze accounts? The denial and statement shifting blame to “some users who had not activated some of our recommended security settings” is typical of what many financial institutions in Nigeria say whenever a customer complains of unauthorised withdrawals or transfers from their accounts. In the case of Barrister Wole Abidakun v. Diamond Bank Plc.(Suit No: CV/2779/18), which involved unauthorized transfer from customer account, Justice Kutigi of the High Court of the FCT, while delivering judgement on 23 June, 2021 observed thus:
“I agree that because these facilities have security features known only to the customer and so the customer bears some responsibility to secure them, once however a customer makes a serious complaint of foul play in his account, the usual standard and rather lazy and lame response by Defendant Bank that the customer has compromised the security features will not stand or fly in the absence of a forensic investigation to determine responsibility. There must be proper in-house and then police investigations showing clearly and positively that the customer must have indeed compromised the security features or given his PIN numbers to a third party. Bare and empty verbal assertions will not suffice in this age of savvy and sophisticated criminals.”
Now, if it were in the United States, where data breaches and hacks are not tolerated by the financial services regulators, Flutterwave would have been in big trouble. The regulators would have carried out investigations and Flutterwave would have been fined heavily if found wanting. Flutterwave customers would have also likely filed a class action against the fintech.
For instance, in 2020 in the US, a class action was filed against Bank of America for failing to provide sufficient protections for unemployment payment debit cards after thousands across California, fell victim to fraud. Among the issues that were raised in the case against the bank was the lack of secure microchips in unemployment debit cards, a failure to secure private account information and a sluggish response to consumer fraud reports.
Also in the United States, the Consumer Financial Protection Bureau (CFPB) in 2016, found that online payment platform Dwolla, deceived consumers about its data security practices and the safety of its online payment system and therefore ordered Dwolla to pay a $100,000 penalty and fix its security practices.
As of May 2015, Dwolla had more than 650,000 users and had transferred as much as $5 million per day. For each account, Dwolla collected personal information including the consumer’s name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a unique 4-digit PIN.
From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. They claimed also that they encrypted all sensitive personal information and that its mobile applications were safe and secure.
However, it was found that Dwolla’s data security practices in fact fell far short of its claims. Specifically, the CFPB found, among other issues, that Dwolla misrepresented its data-security practices by:
(1)Falsely claiming its data security practices “exceed” or “surpass” industry security standards: Contrary to its claims, Dwolla failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.
(2)Falsely claiming its “information is securely encrypted and stored”: Dwolla did not encrypt some sensitive consumer personal information, and released applications to the public before testing whether they were secure.
The above action of the CFPB in the US represents how a regulator should act in the face of continuous data breaches and/or hacks. In 2022 it was MTN Mobile Money Bank that was hacked but it is unclear what actions, if any, the regulators in Nigeria took or made against MTN, concerning the breach or hack. The Federal Competition and Consumer Protection Commission, the Central Bank of Nigeria, the Nigeria Deposit Insurance Corporation, and the newly created Nigeria Data Protection Commission needs to sit up and do more.
It is therefore, high time that the regulators in Nigeria mentioned above woke up to their responsibilities and took punitive action against erring financial institutions in Nigeria for data breaches and hacks. Perhaps the fear of sanctions will make the financial institutions to improve on their cyber security practices and better protect customer funds/deposits in their custody.
It is also recommended that there should be a quarterly or yearly report made available to the public, showing financial institutions that were sanctioned for failing to comply with relevant industry cybersecurity framework and/or data protection regulations.