Following a major cyberattack on the Bank of Uganda, which led to the loss of approximately 62 billion Ugandan shillings ($16.87 million), the Ugandan authorities have arrested nine officials from the Ministry of Finance.  

The cyber breach, which was reported last November, raised concerns about the security of Uganda’s financial institutions.

Uganda’s central bank, through the State Minister for Finance, Henry Musasizi confirmed the IT system breach and illegal transfer of funds. However, the finance ministry refuted claims that the stolen funds were as much as 62 billion Ugandan shillings ($16.8 million) as reported by the state-owned New Vision newspaper.

“It is true that our account was hacked, but not to the extent of what is being reported,” he said in November. 

He said then that investigations were underway, and a report of the entire incident would be presented before the House.

“To avoid misrepresentation of facts, when the audit and CID investigations are finalized, I beg that I come to this house and report,” he said.

The cybercriminals, allegedly operating under the alias “Waste,” executed fraudulent transactions, raising alarms about the security of Uganda’s banking infrastructure.

With key finance ministry officials implicated, suggesting that the scandal was due to internal corruption or negligence has further placed a question on the public’s confidence in Uganda’s financial institutions.

The Uganda hack

According to Reuters, the hacking group based in Southeast Asia sent part of the stolen money to Japan, citing unnamed sources at the bank. 

Following this, the United Kingdom authorities froze about $7 million, although the robbers had already withdrawn a portion of the cash where the syndicate received $6 million in Japan.

The reporting newspaper, New Vision also claimed in November that the central bank had successfully recovered over half of the money from the hackers. In response to the cyber attack, President Yoweri Museveni ordered an investigation. 

Uganda’s biggest independent newspaper, Daily Monitor, had raised the opinion that the theft may have involved collusion by insiders.

In the same vein, Uganda has faced previous challenges in financial security which prompted the Bank of Uganda to mandate ID verification in April 2024, for transactions exceeding 1 million Ugandan shillings.

However, the latest breach highlights that trust in government agencies handling national finances is critical and that internal governance and cybersecurity measures may still be insufficient.

The Central Bank of Uganda breach is part of a rising financial cyber fraud across Africa. 

In South Africa, the South African Banking Risk Information Centre (SABRIC) reported a surge in fraud cases in 2023. This includes a 100 per cent increase in fraudulent applications for vehicle asset financing and a 46 per cent rise in mortgage fraud. 

Also in March 2024, Ethiopia’s largest bank, the Commercial Bank of Ethiopia, suffered a “systems glitch” that resulted in a $40 million loss.

The red flags extend to Nigeria. According to a November 2024 Fraud and Forgery report by the Financial Institutions Training Centre (FITC), Nigerian banks lost N53.4 billion in nine months to hackers. This revealed the weak hands of the bank operators against cyber criminals. 

During the first three quarters of 2024, the N53.4 billion stolen in the first nine months of this year was N44 billion more than the N9.4 billion that was stolen during the same period last year, representing a whopping 468 per cent increase over a year.

The report showed that cybercriminals stole N468.4 million during the first quarter. The figure skyrocketed by 9037.5 per cent to N42.8 billion in the second quarter. The third quarter of 2024 witnessed a slowing down, with Nigerian banks losing N10.1 billion in the quarter, representing a decline of 76.4 per cent. 

In its corrective measures, the Central Bank of Nigeria (CBN) recently directed the Nigeria Inter-Bank Settlement System (NIBSS) to debit the settlement accounts of commercial banks that receive fraudulent proceeds. The new rule is part of the CBN’s efforts to hold banks and fintech accountable for lapses in their transaction monitoring systems.

In rebuilding trust and preventing future breaches, African nations must prioritize cybersecurity enhancements including upgrading banking IT systems, implementing stricter internal oversight, and ensuring that financial institutions are transparent.