Fintech giant Flutterwave loses ₦11 billion to security breach
This incident occurred just one month after Flutterwave secured a court order to recover $24 million lost due to unauthorized POS transactions, TechCabal reported.
According to a financial services insider with direct knowledge of the incident, the perpetrators illegally transferred ₦11 billion ($7 million) to several accounts in April 2024. However, a second insider claimed that the amount involved was at least ₦20 billion ($13.5 million).
What Flutterwave said:
“As is common in the financial services industry, there will always be attempts by bad actors to compromise the security of systems set up to protect and monitor services,” Flutterwave told TechCabal in a statement.
“In April, we detected unauthorized activities inconsistent with usual customer behaviour on one of our platforms used by a small subset of our customer base.”
Flutterwave did not disclose the exact amount involved but stressed that “no customer funds were lost or compromised, and the confidentiality of our customers’ data remains secure.”
However, a highly-placed individual with insight into the incident revealed that the stolen funds were transferred to multiple accounts across five financial institutions over four days.
The incident likely went unnoticed as the perpetrators ensured that the deposits stayed below thresholds that would prompt fraud checks.
Breach issues are not new to Flutterwave. In February 2023, hackers transferred over ₦2.9 billion from Flutterwave accounts. In October 2023, about 6,000 account holders across 35 banks and financial institutions received ₦19 billion ($24 million) illegally transferred through unauthorised transactions by POS merchants.
The matter has been reported to law enforcement, and investigations have commenced, stated the same individual who requested anonymity.
Two executives in the financial services industry confirmed the incident and said Flutterwave reached out to request KYC details of the accounts involved. They also claimed that the accounts related to the incident have been temporarily restricted.