By Stephen KEMETSE
MTN Group disclosed a cybersecurity incident on April 24, 2025. The company confirmed that some customer data had been accessed improperly across multiple regions but did not identify the specific subsidiaries or nations involved.
The group stated that they had informed South African authorities, such as the South African Police Service and the Hawks, which is also referred to as the Directorate for Priority Crime Investigation (DPCI).
On April 28, MTN Ghana released a statement saying they experienced a cyber security breach which initially appeared to impact approximately 5,700 customer records.
The firm guaranteed clients that their main systems remained protected and stated that inquiries were being conducted to assess the complete extent and effect of the incident. They also provided fundamental cybersecurity guidance to every user.
These rapid responses are praiseworthy; nonetheless, the incident reporting deadlines reveal a potential significant loophole. For instance, global data protection standards like the European Union’s General Data Protection Regulation (GDPR) establish a threshold of 72 hours for informing regulatory bodies when a data breach occurs.
According to Ghana’s Data Protection Act from 2012 (Act 843), data controllers must quickly inform both the Data Protection Commission and those impacted individuals when a breach has the potential to cause significant harm.
We hope that these regulatory reporting requirements were not violated. The four-day delay from when MTN Group disclosed the issue until the public in Ghana received information has sparked worries about the timeliness and order of communication with local regulators, the openness of their messaging, and whether international companies possess effective procedures for disclosing incidents at the national level.
We think that MTN might offer more insight into whether the breach impacted its telecommunications division or its financial services sector.
In line with regulatory requirements, MTN Ghana has organizationally separated its telecommunications activities (such as voice and data services) from its financial services sector (primarily, MTN Mobile Money or MoMo). This separation is highly significant.
A security lapse within the financial services department could lead to increased oversight from the Bank of Ghana according to the Payment Systems and Services Act. This might affect customer funds, Know Your Customer (KYC) documentation, as well as anti-money laundering measures.
In comparison, a violation limited to the telecommunications division would mainly involve the supervision of the National Communications Authority and come under the purview of the Electronic Communications Act.
This explanation is needed so that customers can take effective preventive actions and allow regulators, partners, and industry watchers to properly gauge the extent, consequences, and requisite protections after the incident.
According to the World Economic Forum, companies that have cybersecurity oversight at the board level are 43 percent more likely to prevent significant damage from attacks.
Although we can’t discuss MTN’s internal management practices, this situation offers valuable insights—not just for multinational corporations and top-tier businesses in Ghana but also for smaller firms across the country as well.
Cybersecurity is not merely a technological concern anymore; it has become a key aspect of leadership, risk management, and corporate governance, significantly influencing whether revenue is safeguarded or squandered.
Based on IBM’s 2023 Cost of Data Breach Report, the worldwide average expense associated with a data breach stands at $4.45 million. The financial sector particularly faces higher costs from such breaches.
Moreover, companies may face regulatory penalties, legal responsibilities, loss of customers, and enduring harm to their reputation. In Africa, where mobile money services are crucial for many individuals, maintaining trust is particularly critical.
A crucial aspect is ensuring regular public updates at predetermined intervals. In the absence of such a schedule, stakeholders tend to bridge these knowledge gaps through conjecture, which can exacerbate damage to reputation.
Currently, incorrect details are spreading across various social media channels regarding the security of funds within MoMo wallets after MTN Ghana revealed the data breach.
These amplified speculations can be mitigated by providing regular updates at intervals like every 48 or 72 hours, thereby demonstrating control, accountability, and transparency.
Customers, regulators, and partners require regular updates on when they can expect further communication from you, even if it’s just to inform them that investigations are still underway. Establishing and adhering to a consistent update timeline showcases your control of the circumstances and aids in fostering public trust.
This event acts as a wakeup call for businesses across the board, particularly for small and medium-sized enterprises in Ghana. Cybersecurity is not an option anymore; it has become a critical business necessity ensuring financial stability.
Businesses of every scale can defend their profits and clientele, secure their standing, and contribute to building a robust, durable digital economy for Ghana and the continent of Africa.
>>>The individual serves as the Director at Payplus Africa
He can be contacted through
[email protected]
Provided by Syndigate Media Inc. (
Syndigate.info
).
Leave a Reply