Flutterwave suffers ₦11 billion loss in security breach

Flutterwave Cybersecurity Breach

In a shocking cyberattack, financial technology giant Flutterwave has reported a loss of ₦11 billion following a significant cybersecurity breach. The breach, which has sent shockwaves through the fintech industry, underscores the growing threat of cyber attacks targeting the financial institution.

Just a month after securing a court order to reclaim $24 million lost in unauthorized POS transactions, Flutterwave has been hit by yet another security breach. This latest incident has enabled unidentified individuals to divert billions of naira into numerous bank accounts.

According to a source within the financial services sector who was directly informed about the matter, the perpetrators unlawfully transferred ₦11 billion (approximately $7 million) to multiple accounts in April 2024. However, a second insider suggested that the total amount involved could be significantly higher, estimating it to be at least ₦20 billion ($13.5 million).

Flutterwave responded to the incident in a statement to TechCabal, acknowledging the persistent threat of malicious actors attempting to compromise security systems in the financial services industry. The company stated, “In April, we identified unauthorized activities that deviated from typical customer behavior on a platform utilized by a small segment of our customer base.”

While Flutterwave refrained from disclosing the exact sum involved, the company affirmed that “no customer funds were compromised, and the confidentiality of our customers’ data remains secure.”

Nonetheless, according to a reliable source familiar with the matter, the pilfered funds were transferred to numerous accounts across five financial institutions within a span of four days. The perpetrators likely evaded detection by ensuring that the deposited amounts remained below thresholds that would trigger fraud alerts.

Flutterwave is a leading player in the African fintech landscape. Although, the company said “no customer funds were lost or compromised, and the confidentiality of customers’ data remains intact.” But such cyberattack usually exploit vulnerabilities in fintech company’s security infrastructure, allowing unauthorized access to sensitive data and financial assets.

In response to the breach, Flutterwave has taken immediate steps to enhance its cybersecurity measures and mitigate the risk of future attacks. In addition, the person familiar with the matter stated that the incident has been reported to law enforcement authorities, and investigations have commenced.

The two executives familiar with the matter from the company have confirmed the occurrence of the incident, revealing that Flutterwave has taken steps to acquire Know Your Customer (KYC) details for the affected accounts. Moreover, they disclosed that measures have been implemented to temporarily restrict access to these accounts.

In traditional breaches of this nature, perpetrators typically conceal the movement of funds by distributing them across numerous unsuspecting individuals’ bank accounts, often acquired through online channels or social engineering tactics. These details are then utilized in programs designed to automate large-scale transfers.

However, the breach in April appears to diverge from this pattern. According to a senior staff member at a financial institution, evidence suggests the involvement of an organized network in the distribution process.

The perpetrators’ strategy involved transferring funds seemingly at random to various accounts, which in turn reciprocated by transferring funds to other accounts, ultimately circling back to the initial beneficiary account, creating a closed-loop system. This method contrasts with past attempts to obfuscate trails through unconnected outsider accounts.

This recent breach marks the fourth instance of unauthorized transfers at Flutterwave reported in the past fourteen months. In October 2023, approximately 6,000 account holders across 35 banks and financial institutions received ₦19 billion ($24 million) through unauthorized transactions facilitated by POS merchants. These repeated incidents have raised significant concerns about the security protocols in place at the fintech company.

Earlier in 2023, Flutterwave experienced similar breaches. In March, about 107 bank accounts across 27 banks received ₦550 million through unauthorized transfers. Just a month prior, in February, ₦2.9 billion was diverted to the same number of accounts across the same number of banks, according to court documents reviewed by TechCabal. These incidents indicate a troubling pattern of security vulnerabilities that have yet to be fully addressed.

Identifying the account owners involved in the latest breach may prove easier due to recent regulatory changes. By March 2024, the Central Bank mandated that all financial institutions require customers to provide a bank verification number (BVN) or a national identification number (NIN) when opening accounts or wallets. This measure is expected to enhance the traceability of account holders and aid in the investigation and recovery of funds in such incidents.

In February, Flutterwave secured a court order—a Mareva injunction—that allows it to recover funds and assets from identified account holders, even if the funds have been spent. With the KYC details provided by these financial institutions, Flutterwave aims to reclaim the diverted funds and prevent further unauthorized transfers. This legal backing is a crucial step in mitigating the impact of these breaches and reinforcing the company’s commitment to securing its financial systems.

The cybersecurity breach has raised concerns among stakeholders and customers about the safety and integrity of digital financial services. With cyber attacks becoming increasingly sophisticated and prevalent, the incident serves as a stark reminder of the urgent need for robust cybersecurity measures in the fintech sector.

As Flutterwave grapples with the fallout from the breach, industry experts emphasize the importance of proactive cybersecurity strategies and continuous monitoring to safeguard against emerging threats. The incident underscores the critical role of cybersecurity in protecting the integrity of financial systems and preserving consumer trust in digital transactions.

Flutterwave has assured its customers that it is working tirelessly to address the security breach and minimize the impact on its operations. However, the incident serves as a sobering reminder of the constant vigilance required to combat cyber threats in an increasingly interconnected world.