Former Director of FBI Robert S. Mueller III once said, “There are only two types of companies in the world: Those that have been hacked and those that will be hacked.” But almost by the time he made it, the statement went out of date – it should instead be “There are only two types of companies: those that have been hacked and those that don’t know they have been hacked.”
In my humble view, going by the two statements, there could actually be three types of companies in the world today.
• Those that have been hacked and they are aware of it
• Those that have been hacked but they are not aware
• Those that will be hacked
A good friend of mine, who is a cybersecurity expert, once told me that no security set up, physical or digital, is full proof. The simplest explanation he gave for my layman's mind to grasp was that, even the keyhole in the door to you house is an avenue for a possible breach. So, if you hear any company bragging about having the most robust systems to ensure absolute security and safety for customers, just know that, strictly speaking, it is just talk and very far from the reality.
It was only on Thursday, April 24, 2025 that the MTN Group for the first time, informed the public that their network has been hacked and some customer information have been compromised in some markets. That first statement from the Group essentially communicated three things about the incident:
• An "unauthorised access to personal information of some MTN customers in certain markets”
2. “An unknown third-party has claimed to have accessed data linked to parts of our systems. At this stage we do not have any information to suggest that customers’ accounts and wallets have been directly compromised.”
3. “Our core network, billing systems and financial services infrastructure remain secure and fully operational.”
So, whereas MTN is telling us that hackers claim to have access to data linked to parts of its systems, they also insist those systems remain secure and intact.
Subsequent to that first line of communication, MTN Ghana also issued another statement four days later on Monday, April 28, 2025 indicating that some 5,700 MTN Ghana customers may have been affected, and those customers are being contacted. Take note that the MTN Group said the hack affected customers in some markets, but so far none of the remaining 18 MTN markets has reported how many customers were affected in those markets. In fact, media reports from some of the markets only mentioned the Ghana case.
But here is where it gets even trickier. On Thursday, May 1, 2025, another information from the MTN Group communicated two main things:
• That the customers information compromised or accessed by the hackers are basic details such as first names, surnames and phone numbers, suggesting that the hackers don't have any critical information that they can cause any damage with.
• That the hackers are making demands on MTN - what exact demands they are making, MTN did not say.
One can understand that MTN has adopted their own strategy to manage this crisis, part of which is the manner and time they have decided to communicate particular set of information to the public.
So far, the kind of information communicated to the public and the timing of each information raise more questions than answers, as per our conversation with some stakeholders, including cybersecurity experts.
Before we get to the expert questions, let's take a look at some questions lingering in the minds of the layman from what MTN themselves have told us so far:
Layman Questions
• MTN told us about the hack on Thursday, April 24, 2025. Does it mean the hack happened on that day, or that was the day they got to know about it; or they got to know about it earlier than that day, but they decided to tell us about it on that day? Take note that per Robert S. Mueller's quote in our opening paragraph, MTN may be one of those companies which has been hacked for so long but they did not know about it until now. MTN Ghana customers have been victims of massive fraudster activity long before now. Could it be that all those customer experiences were signs of a hack?
• If MTN says the hack happened at the group level and the impact is in "some markets", how come only Ghana has reported that 5,700 customers may have been affected? Did the hack really happen at the group level or it happened only in Ghana? And if it really happened at the group level, is MTN Ghana's systems the only one that is so vulnerable that only Ghanaian customers had their data stolen?
• If MTN says, in spite of the hack, all of their core systems are intact, how come the hackers obtained customer data from those same systems that are so robust and secure? Are the MTN systems really that secure?
• If MTN says the information stolen is basic, how come the hackers are making demands - what leverage do the hackers have to make them make demands - and if their demands are not met what damage can they cause to the MTN network and to customers, particularly now that MTN says it is still assessing the full implication of the hack?
• What are we not being told - is the information given to customers so far empowering enough for customers to take the necessary steps to protect themselves?
Timing of Information Release
One can understand that in crisis management, the kind of information released to the public and the timing of each information is very critical to keeping faith with the public and protecting them from any harm. But in the opinion of some experts, the timing of the release of some of the information from MTN so far, raises more questions than answers.
For instance, the public was first informed about the hack on April 24, 2025, but there was no information on when exactly the hack happened. Experts speaking with Techfocus24 suggest that the hack may have most likely happened long before the date of the first communication.
Again, in the first communication, MTN failed to tell the public exactly what kind of customer data has been compromised; they first mentioned that on May 1, 2025, which suggests that they only got to know about what kind of data had been compromised later than April 24, 2025. But experts suggest that, MTN may have known of the exact customer data that was compromised long before even April 24, 2025, but they decided to communicate on May 1, 2025, as if it was new information. That impression is not a good one because, to the public, it means MTN is not on top of issues.
The other thing which is even more worrying is the timing of the communication about the demands of the hackers. MTN had earlier told customers that their systems, customers accounts and wallets were intact, so no cause for alarm. Then a week later, on May 1, 2025, MTN communicates to the public that the hackers are making demands. So the question then is, if MTN's systems as well as customer accounts and wallets are as intact as MTN had made the public believe, what leverage do the hackers now have to make demands as late as May 1, 2025?
Is it also the case that the hackers made the demands from the onset but MTN chose to leave that information out from their first communication on April 24, 2025, or subsequent to the first communication, the hackers have now given MTN a fresh indication of damages they can cause, so now they want something from MTN?
So, whereas one can understand that information management play a critical role in crisis management like the one MTN is currently faced with, the timing of some of the information being released also raises questions in the minds of customers and other stakeholders.
The other question then is what other information has been available to MTN from day one, which they are keeping to their chest to release at the time they feel apt - and who's interest would the timing of the release of that new information serve - MTN or the customer?
The Social Engineering Excuse
Now here is why it is necessary to empower customers with the right information at the right time so that they can take their own decisions:
For several years, MTN Ghana customers have been complaining about the way fraudsters obtain customers' mobile money details and use them, not only to steal from their mobile money wallets, but even go all the way into their bank accounts and steal money. When that happens, in 99% of the cases, investigations by MTN points to 'social engineering', where customers are manipulated by fraudsters to divulge sensitive information such as MoMo PIN, some OTP (one time password) and others that fraudsters take advantage of.
But there have also been several cases where fraud on customers started from a SIM Swap, where the customer's MTN Sim card was swapped without the customer's consent, then the details are then used to access either the victim's wallet or bank account. SIM Swap can never happen without the involvement of an MTN staff. In 2023, Bank of Ghana's financial sector fraud report indicated that over GHS4.6 million was stolen from people's wallets and bank accounts via SIM Swap fraud.
Protection of Insiders
The telcos often point people away from themselves anytime there is mobile money fraud. But over time, they have began to admit that some of the cases involve staff, and so they have started sanctioning those found culpable. But they never make such sanctions public. So, the insiders involved pretty much get away with just a sack. In fact, the police have complained several times, that when investigations begin to point to insiders, MTN usually begin to put stumbling blocks in the way of the police and they never help the police to get those insiders.
This is why it is important that MTN should be fully transparent with the details of this hack, so we know exactly what has happened, so that we will know exactly what to do as customers, instead of having to depend on MTN's strategic release of information for their own benefit.
Regulatory Intervention
We are aware that regulators are conducting some independent investigations into the matter and they will be reporting to the public in due course. The regulators involved are the National Communications Authority (NCA), Cybersecurity Authority (CSA) and the Data Protection Commission (DPC), under the auspices of the Ministry of Communication, Digital Technology and Innovations.
So far, DPC and the Ministry have released statements on the matter. Both statements looked like they were pretty much lifted directly from MTN's earlier statements and that is not good enough. The public needs the regulators to take up this matter strongly and independently, and be the ones telling the public what to do, not because we do not trust MTN, but because the regulators are more likely to tell us as it is than MTN would, because MTN has reason to manage information in a way that would not expose its own possible negligence.
CSEAG
It is therefore not surprising that almost two weeks after the MTN incident, and barring all the information MTN has put out about it, the Cyber Security Experts Association of Ghana (CSEAG) has still found reason to call on MTN to be fully transparent to the public on the matter. As cybersecurity experts and practitioners, they have reason to believe that MTN has not been fully forthcoming with information on this matter. As pointed out under Layman Questions above, even ordinary people have bugging questions on their minds.
Speaking of cybersecurity experts, I have had the privilege of chatting with one, who has worked across the banking and telecom sectors over the years. Here are some questions he believes MTN must answer in their communication to the public. These questions could also form the basis of a thorough independent investigation.
I present them verbatim, exactly as the expert sent them to me:
Expert Questions
From a technical perspective, below are a few questions I will suggest as a tech journalist you must ask and perhaps write an article on. This is to ensure transparency, customer protection, and stakeholder assurance:
A. Incident Details and Technical Nature
1. What was the specific attack vector or entry point used by the threat actors?
2. Was the breach localized to Ghana's infrastructure or did it originate from a shared Group-level system?
3. Did the attackers gain access through internal credentials, APIs, third-party platforms, or misconfigured services?
4. Were any systems housing sensitive or regulated personal data impacted?
5. Were privileged accounts or administrative credentials compromised?
B. Scale, Scope, and Impact 1. How was the figure of 5,700 affected customers established? 2. Are there any indications that a larger number of customers may have been impacted? 3. Is there a breakdown of the affected customers by segment (e.g., prepaid, postpaid, corporate)? 4. Have you detected any evidence of post-breach activities such as SIM swap attempts, phishing, or fraud?
C. Containment and Remediation 1. What specific mitigation and containment actions were taken following detection? 2. Has MTN engaged an independent cybersecurity firm to investigate and verify the breach? 3. What system upgrades or process improvements have been implemented post-incident? 4. Is MTN conducting thorough penetration testing or security audits on the affected infrastructure?
D. Communication and Regulatory Compliance 1. Why has Ghana been the only market to disclose customer impact, despite this being referred to as a Group-level incident? 2. How are affected customers being notified and supported? 3. What steps are being taken to comply with the Ghana Data Protection Act and relevant breach notification obligations?
E. Threat Actor Engagement and Risk Management 1. Can you confirm the nature of the threat actors’ demands? 2. Has MTN verified the authenticity of the data in the attackers' possession? 3. Is MTN collaborating with the Cyber Security Authority, CERT-GH, and relevant law enforcement agencies?
Question 4 under point B is particularly interesting for me:
Have you detected any evidence of post-breach activities such as SIM swap attempts, phishing, or fraud?
Just last week, the CEO of a leading micro-insurance company shared a voice note of a call he had from a fraudster. The fraudster already knew he had four bank accounts at a particular bank, what type of accounts they were and the account number for each of them. It was scary listening to the details the fraudster had on the man. This happened after the hack. Could it be related to the hack?
So, you see that the expert questions are not too far from what is lingering on the layman's mind. MTN may have addressed some of the issues raised in the expert's questions, but there are even more critical questions begging for answers, and so far MTN's communication on the matter has not done justice to those issues. They need to be a bit more forthcoming and in a timely fashion. This release of information in tots and the timing of the releases, is rather making us more confused.
For instance, you can't tell us, at one point, that your systems are intact in spite of the hack, then a week after, you come and tell us hackers are making demands, and expect us to still hold on to the previous information that your systems are still intact. Again, you can't tell us the hackers claim to have access to data linked to your systems, then tell us that those same systems are safe and secure. So far, those pieces of information don't add up.
We leave it here.
