Flutterwave, a leading payment processing company, has suffered another security breach, marking the fourth unauthorised transfer incident in the last fourteen months.
News About Nigeria gathered that this latest breach comes just one month after the company obtained a court order to recover $24 million lost to unauthorised POS transactions.
Flutterwave has a court order—a Mareva injunction—that allows it to recover funds and assets from identified account holders, even if the funds have already been spent, using the KYC details provided by financial institutions.
In April 2024, unknown perpetrators managed to divert billions of naira to multiple bank accounts over a period of four days.
According to insiders with direct knowledge of the incident, the illegal transfers amounted to ₦11 billion ($7 million), though another source claimed the figure could be as high as ₦20 billion ($13.5 million).
Flutterwave, in a statement to TechCabal, acknowledged the breach, stating, “As is common in the financial services industry, there will always be attempts by bad actors to compromise the security of systems set up to protect and monitor services. In April, we detected unauthorised activities inconsistent with usual customer behaviour on one of our platforms used by a small subset of our customer base.”
The company assured that no customer funds were lost or compromised, and the confidentiality of customers’ data remains intact.
Despite this assurance, a highly-placed source revealed that the stolen funds were transferred to several accounts in five financial institutions.
The perpetrators cleverly evaded detection by keeping deposits below the thresholds that would trigger fraud checks. Law enforcement has been notified, and investigations are underway.
Two executives in the financial services industry confirmed the incident, noting that Flutterwave has reached out for Know Your Customer (KYC) details of the involved accounts, which have been temporarily restricted.
These breaches often involve sending money to unsuspecting users’ accounts, whose details are obtained online or through social engineering.
This incident follows previous breaches in October 2023, when about 6,000 account holders across 35 banks and financial institutions received ₦19 billion ($24 million) through unauthorised transactions by POS merchants.
Earlier breaches in March and February 2023 saw ₦550 million and ₦2.9 billion, respectively, diverted to bank accounts.
