At least UGX6 billion stolen in Pegasus mobile money hack
Investigators probing the stunning break into the mobile money transfer and mobile banking platforms of at least four major Uganda corporates, have established that the fraudsters were able to ferret away at least UGX6 billion before the fraud was detected.
According to a preliminary report presented to the victim companies, the fraud that started in the evening of October1 had loaded UGX9 billion for transfer to multiple mobile money accounts in different parts of Uganda but only UGX6billion had been cashed by the time the intrusion was discovered in the afternoon of October 3.
The fraud started when yet to be identified hackers broke into the systems of mobile money integrator Pegasus Technologies. The company integrates and reconciles mobile money transactions between telcos, banks, and several local, regional, and international money transfer services.
A source familiar with the ongoing forensic probe says hardest hit were Airtel, Bank of Africa and Stanbic. The full impact on MTN, Uganda’s biggest telco was yet to be established but sources say indications so far are that it was minimal because the company had in recent months upgraded its cybersecurity protocols.
Investigators are probing multiple lines including the possibility of insider fraud at Pegasus, a 13 year old company that was set up by individuals who have previously worked as IT managers at National Water and Sewerage Corporation, Stanbic Bank Uganda and Airtel Uganda.
There is a particular focus on hiring practices at Pegasus which have led to a high turnover of people who had deep levels of access to the company’s IT platforms and protocols. Investigators from multiple agencies want to eliminate the possibility that some of these could have continued to have access to the company’s IT platforms or worked with insiders to hack their way into Pegasus where the fraud originated. According to a source that did not want to be named, standard practice requires that IT professionals in critical roles stay with an employer for at least 10 years before moving on.
Investigators also want to establish how the fraudsters were able to cash-in their heist from hundreds of mobile money accounts in different parts of the country over a 40 hour window. While one can deposit up to UGX7 million over 24 hour period, mobile money withdrawals are capped at UGX 3.8 billion over the same period. Withdrawing UGX6 billion in a single day would have required 1579 mobile money accounts or 790 over two days. One would also need a string of agents in the loop to disperse the transactions across the country the way the fraudsters did.