An audit reveals that the Bank of Uganda (BoU) transferred a colossal sum of 16.2 million USD to suspicious accounts in Japan. Uganda’s Auditor General points to systemic flaws and possible criminal intent in the cyber heist of November 2024. The Parliament has just referred the case to Uganda’s Criminal Investigations Directorate (CID) for further investigation.
Vulnerability of Ugandan financial systems
During a high-stakes digital heist, hackers infiltrated Uganda’s Treasury systems and siphoned off an astronomical 16.2 million USD (approximately 60 billion shillings) from the Bank of Uganda (BoU). The heist, first reported in November 2024, sent shockwaves throughout the country, naturally leading to a forensic audit by the Auditor General.
The findings of this audit have sparked intense investigations by the Criminal Investigations Directorate (CID), exposing the vulnerabilities in Uganda’s financial systems.
Auditor general’s report on a 16.2 million USD cyber heist
The explosive revelations were submitted to Parliament on January 9, 2025, when Prime Minister Denis Hamison Obua presented the Auditor General’s report. The report paints a grim picture of systemic flaws and alleged criminal intent in the management of public funds.
Speaker of Parliament Anita Among, after consulting President Yoweri Museveni, referred the report to the CID for further investigation. « Given the elements in the report, these are criminal elements. Due to their criminal nature, we will refer this report to the CID for further handling », said Among, underscoring the gravity of the situation.
However, not all parliamentarians agree with this approach. Ndorwa East County MP Wilfred Niwagaba and Tororo North County MP Geoffrey Ekanya urged parliamentary committees to review the report before it was forwarded to the CID. Their calls were, however, overruled by the Speaker, citing the urgency of the imminent criminal investigation.
How did the cyber heist unfold ?
The seeds of this crisis were sown in November 2024, when media reports revealed that hackers had infiltrated the BoU’s treasury system. These cybercriminals managed to execute fraudulent transactions, with two debt service payments allegedly routed to erroneous recipients in Japan.
BoU Deputy Governor Michael Atingi-Ego later disclosed to the Committee on Statutory Authorities and State Enterprises (COSASE) that these erroneous payments were the result of a mistaken directive from the Ministry of Finance, Planning, and Economic Development. The Deputy Governor also revealed that 8.2 million USD of the stolen funds had been recovered, offering a glimmer of hope in an otherwise grim scenario.
Primary targets of cybercriminals in Africa
In 2023, across various economic sectors, the most targeted organizations were those in the financial sector (18 %), closely followed by telecommunications companies (13 %), government agencies (12 %), and finally, commercial entities (12 %) and industrial entities (10 %).
Major companies such as Onde Flutter, TransUnion, and Porsche headquarters in South Africa, as well as Eskom and the Electricity Company of Ghana (ECG), have been targeted by successful cyberattacks that had adverse impacts on them. Apart from Uganda, large-scale government structures have also been targeted by cybercrime attacks: the Bank of Zambia, and government institutions in Ethiopia, and Senegal.
Uganda’s cybersecurity measures in the spotlight
The BoU heist highlights the growing threat of cybercrime in an increasingly digital world. Experts warn that Uganda, like many developing countries, faces significant challenges in combating sophisticated cyberattacks. This incident serves as a stark reminder of the need for robust cybersecurity infrastructure and proactive risk management strategies.
As the CID takes over the investigations, the public awaits not only the identification of the perpetrators but also an internal review of the systemic flaws that made such a brazen act possible. Lawmakers and citizens are demanding justice and reforms to prevent similar incidents in the future.
Consequences of cyberattacks affect entire regions
In most cases, cyberattacks aim to steal sensitive data: 38 % of African companies fall victim to it. Business operations are also frequently disrupted by criminal acts. To illustrate, one in three successful cyberattacks, and 35 % of the main activities of startups, suffer disruptions. Direct financial losses were recorded in 7 % of incidents.
The repercussions of a successful cyberattack can vary widely. Their influence can range from the disruption of a single individual to that of industries or even entire regions. For banking institutions, this may include large-scale thefts or fraud targeting users. For industrial companies, this could involve alterations to technological processes with serious repercussions for citizens.
