How Hackers Breached Securities of Two Nigerian Banks by Kelechi Deca

Access Bank’s Head of Corporate Communications, Amechi Okobi,

Reports of weak security systems in the Nigerian financial sector which has been making the rounds since the great lockdown came to a head last week when Bank Security, a Twitter handle that focuses on online security issues in banking tweeted that the database of Unity Bank Plc has been breached. The tweets went on to claim that many hackers are sharing the data with one hacker boasting that they had shared “only small dump” from the bank, and said “bigger dumps coming [sic] soon”. At least three other hacker forums have since reportedly shared the same database, according to Bank Security.

Access Bank’s Head of Corporate Communications, Amechi Okobi,
Access Bank’s Head of Corporate Communications, Amechi Okobi,

Read alaos:Nigeria’s Central Bank Gives Approval for 9PSB to Commence Operations With *990#

The online report sent thousands of customers into a frenzy as the hackers boasted that they have access to data of millions of customers and can make transfers and withdrawals easily without the interference of the banks involved. Instead of addressing the issue Unity Bank adopted a “wait and see” attitude believing the news will die a natural death but with more tweets spotlighting on the issue, Unity Bank was forced to issue a statement addressing the matter while not explicitly denying the breach or dismiss the associated data.

Read also:Why World Bank Suspended ‘Ease of Doing Business’ Rankings

In a tersely worded statement, Unity Bank said that “Our attention has been drawn to social media reports purporting a data breach of our systems. For the avoidance of doubt, Unity Bank wishes to reassure all customers that we take the protection of their personal information very seriously in accordance with data protection legislation.“The Bank hereby reassures its customers and the public at large, of the integrity of its systems, controls of which are continually enhanced in line with best practices, to forestall attempts at compromising confidential data.” 

Then on August 31, a hacker named Ihebuzo Chris posted a video with his Twitter handle in which he claimed to have stumbled upon sensitive customer data of Access Bank Plc. According to Mr. Ihebuzo, his focus was not to tamper with the Bank’s data; rather he wanted to draw the attention of the Bank to the vulnerabilities within its security system, thus the need to strengthen their firewall. To back up his claims, he printed out hundreds of the Bank’s customer information.

Reacting to the claims, Access Bank dismissed the claims by Mr. Ihebuzo Chris assuring their customers that their data is secured. In a statement by Access Bank’s Head of Corporate Communications, Amechi Okobi, the Bank said; “Our attention has been drawn to some social media reports claiming a data breach of our systems. Access Bank herewith confirms that there is no cause for alarm. We would like to reassure all our stakeholders and the general public of the security and integrity of our banking platforms which at this time are the best-in-class.”

Read also:Why World Bank Suspended ‘Ease of Doing Business’ Rankings

Analysts say that keeping track of the number of cyber breaches that take place in the country is very hard because very few Nigerian companies would actually admit publicly when a breach has happened due to its attendant dent on the image of the organisation. A source at one of the nation’s big banks told The Economy that the industry loses huge sums of money to hackers and other forms of insider cyber leaks that the public are not aware of.

According to systems analysts that spoke to The Economy, this development highlights a challenge many have been aware of in recent times concerning the weakness in the firewall protection of some major financial institutions in the country. Bank Security, which was the first to disclose the alleged breach, said it was a database file “containing PII data of over 53k customers.” But on close examination of the SQL script and data posted online, the data is not customer information but recruitment data from a possible past enrollment exercise. However, this does not mean the data leak is any less serious. The leak is said to include people’s names, house addresses, emails, phone numbers and their dates of birth. Such information in the hands of criminals is a very serious issue, says a systems analyst who works in one of the big banks.

Read also:Stakeholders Engagement and Security Will be Key to Ensure the Success of Mozambique’s LNG Projects

It could be recalled that the issue of cybersecurity has been a recurring one in recent times as many organizations across Africa work to strengthen their securities in the face of security breaches in different countries with Nigeria and South Africa being prominent. In July, Till Kottman, a Swiss-based IT consultant, compiled a list of 50 Nigerian companies whose source code had been exposed online.

Experts have warned that as the Internet of Things (IoT) plays far more roles in our everyday existence, breaches as this would become common, thus the need for organizations to raise the bar in cybersecurity and governments to create more awareness and regulatory oversights.

In its Nigeria Cyber Security Outlook 2020, international consulting firm, Deloitte described 2020 as the “Year of Shifts” in cybersecurity. According to Deloitte, 2020 will witness unprecedented cyber-attacks and cybersecurity solutions. “For the year 2020, we envisage a number of shifts that will affect the Nigerian Cyberspace – shifts in attack targets; attack magnitude; identification and authentication; monitoring; awareness and education; regulatory oversight; collaboration; and a shift in the way organisations deal with cyber-attacks”, Deloitte affirms.

Read also:Nigerian Central Bank Orders Banks To Share Customer Data With Fintechs

Nigeria is not alone, on August 19, South Africans woke up to the news of a massive data breach that saw the data of 24 million people and 800,000 businesses fall into the hands of a fraudster. The breach, of the South African branch of consumer credit reporting agency Experian, was the biggest of the year so far in sub-Saharan Africa and highlights growing security threats throughout the region. While the value of scams and breaches in Africa thus far in 2020 pales in comparison to more developed economies, the number of attacks that enterprises withstand is growing fast. African enterprises are attacked by malicious hackers more frequently than enterprises elsewhere in the world, according to Check Point Software research.

Kelechi Deca

Kelechi Deca has over two decades of media experience, he has traveled to over 77 countries reporting on multilateral development institutions, international business, trade, travels, culture, and diplomacy. He is also a petrol head with in-depth knowledge of automobiles and the auto industry

Nigerian Banks Fret Over New Directives on Loans

Banks

A new directive by the Central Bank of Nigeria (CBN) ordering banks to have a minimum loan to deposit ratio of 60% by the end of September 2019. The directive according to the Apex bank is intended to get the commercial banks to lend more to the real economy and buy fewer government securities.

Observers, however, differ on the impact of this directive with some expressing worries over the timing which they say could have a negative impact on asset quality.

Others are of the view that the move “may unintentionally result in a reduction of banks’ risk management criteria for loan extension and by extension a deterioration in asset quality. With a few calling for new policies designed to increase bank lending to follow.

Banks
 

Loan ratios at Nigerian banks shrank between 2016 and 2018 as slower economic growth and high yields on government securities prompted banks to load up on lower-risk assets.

The new move encourages lending to small and medium-sized businesses (SMEs), mortgages and consumer loans by overweighting these loans at 150%.

That aims to encourage banks to accept the risk of an increase in non-performing loans (NPLs). Consumer lending in Nigeria is hampered by lack of reliable household credit records and weak recovery enforcement, Moody’s says in a note on July 8.

Midsize banks with higher exposure to consumer and SME loans tend to have higher NPL ratios than large banks, according to Moody’s.

Banks that fail to meet the new threshold will have to pay half of the shortfall as an additional cash reserve requirement. Moody’s argues that banks will be forced to diversify their lending, so reducing concentration risk, and says that most have already complied.

On the banks most affected by this development, our findings show that Zenith Bank, United Bank for Africa (UBA), Guaranty Trust Bank (GTB) and Stanbic are most affected as they have loan ratios lower than the threshold.

Ignoring the central bank’s weighting concession for lending to preferred sectors, Abimbola calculates that Zenith and UBA will both have to increase their loan books by over 350bn naira (870m euros, $970m) by September 30.

GTB and Stanbic will have to add 165bn naira and 30bn naira of new loans respectively, he says. That implies absolute quarter-on-quarter loan growth of 20% for Zenith. From experience, it is unusual for banks to increase their loan books by more than 10% in the whole year.

This could see downside risk on NPLs in the short term, which may prompt markets to start to pricing in negative headlines from the banks. Charles Robertson, a global chief economist at Renaissance Capital, says that a market-friendly option would be for the government to close its budget deficit.

This would force banks to lend to someone other than the government, he says. In the longer term, lower inflation would cut interest rates and encourage lending and borrowing, he argues.

 

 

Kelechi Deca

Kelechi Deca has over two decades of media experience, he has traveled to over 77 countries reporting on multilateral development institutions, international business, trade, travels, culture, and diplomacy. He is also a petrol head with in-depth knowledge of automobiles and the auto industry.

Facebook: https://web.facebook.com/Afrikanheroes/

Lessons Startup Businesses Can Learn From Nigerian Diamond Bank Merger

Hard as it may be, Moody’s has just come up with a report on how and why one of Nigeria’s strongest banks, Diamond Bank failed. The global advisory services firm, in an in-depth report analysed factors that brought about the downfall of the bank (a bank that went from making profits of N28.5 billion in 2013 to making losses of around N9 billion in 2017) and its eventual palliative merger with Access Bank.

Here are key insights that led to a bad day for Diamond Bank, according to the report, and what lessons surviving businesses can learn from it.

“Diamond Bank Aimed to Become The Leading Retail Bank in Nigeria, and Took on Excessive Risk as it Pursued This Objective”

Indeed, this is a case of borrowing Peter to pay Paul in bid to become more attractive to Paul while satisfying Peter also. The report said, although Diamond Bank set out to become Nigeria’s leading bank, it banked its hope on achieving that by letting all its taps open, without properly gauging the risk implication of it. It was like a case of everybody come take a loan, we would take care of that. The result: all business owners scampered in that direction, wielding buckets, ready to pluck out some loans to finance their businesses.

Why that idea may not be entirely bad, for a bank that was trying to make businesses in Nigeria love it, most of the businesses were not ready for the loans, had no plan of paying back soon. The bank did not appear, however, from the report, to be strategic enough: while endearing itself to retail businesses in Nigeria by allowing them to cut so much flesh off it in the name of loans. It didn’t turn its eyes to a balancer?

The report said that the bank did not attract enough corporate borrowers who are a major moneymaker for banks and that, well, it loaned out more money to the oil and gas sector than the Central Bank of Nigeria thought was prudent (52% versus 20%). So when oil prices fell in 2015 and 2016, the bank came crashing with it.The result is best captured by this point from Moody’s:

The bank’s Non-Performing Loans (that is, all loans overdue by more than 90 days) reached 42% of gross loans in 2017 (Diamond has not yet reported its 2018 results). The bank’s provisions against these Non-Performing Loans were low at only 19%, weakening the quality of its capital, while high credit losses eroded its profits, ” Moody wrote 

There is still hope for the bank, though, as Moody’s noted that Access Bank with which it has merged, is strong enough to reduce the risk of default for former Diamond Bank creditors.

‘‘Diamond Bank’s Weak Governance Structure Compromised The Board’s Ability to Determine The Bank’s Risk Appetite’’

This point was going to come anyway. Moody’s merely captured what was already in the public domain. In 2018, this letter came from Nigeria’s market research and analysis news site Proshare. The content of the letter simply was that a former chairman of Diamond Bank, Seyi Bickerstheth gave some hints why Diamond Bank’s CEO, Mr. Pascal Dozie, should be replaced. It re-echoed the same demand from Carlyle Group’s Carlyle Sub-Saharan Africa Fund (CSSAF) DBN Holdings who also wanted Mr. Dozie shown the exit door.

A key shareholder CSSAF DBN Holdings demanded an immediate removal of management principally the CEO but the Board favoured a less drastic approach to minimise disruption and also enable the Board secure new leadership,” Bickerstheth wrote in the letter.
“After several discussions, the CEO of the Bank, who is also a representative of the second largest shareholder Kunoch Ltd agreed to resign effective January 3, 2019, but would not tender his letter to confirm his verbal notification
.”

The Implication:

You can’t expect a lesser consequence. Moody’s therefore noted that this Diamond Bank’s weak governance structure meant:

  • A highly compromised board
  • A board with little ability to assess the bank’s risk exposure and;
  • And a board that failed to rigorously interrogate management over strategy.

Now watch the follow-up consequence: 

The weak governance structure meant the bank’s management would plunge the bank into an unrecoverable loss. There was a sudden decline of profits. After making profits of less than N5 billion in 2016, the bank fell far to losses of N9 billion the following year.

‘‘The CEO’s Family Was The Second Biggest Shareholder In The Bank, Directly Controlling 14% Shareholding’’ 

It looked like nobody was going to tell the bank the hard truth anyway, and when you don’t have such hard truth tellers in organisations, all boats would be oared to one direction. Moody’s said Diamond failed because it did not have enough independent directors (the objective truth tellers)on its board and this resulted in a lack of effective board oversight.

By the end of 2017, only one of Diamond’s 13 board members met the Nigerian SEC’s definition of independent (another had retired in August),” Moody’s noted

We believe Diamond’s board failed to provide an effective check against the bank’s management team. Board independence is important because it makes it more likely that management strategies are subject to rigorous questioning, reducing the risk of directors ‘rubber stamping’ management decisions.”

The implication of this is not far-fetched, Mr. Dozie, whose family was the second biggest shareholder in the bank, directly controlling 5% and another 9% indirectly through its investment firm, Kunoch Ltd (14% in total) was only 4% off the Bank’s biggest shareholder, Carlyle Fund, which controlled 18%. This meant, of course, a huge overbearing influence of one family over how the business of the bank was run. A striking example was the fact that a member of the founding family held the CEO role between November 2014 and March 2019 when it merged with Access Bank. During this period, profits fell by 78% in 2015 and bank deposits shrank by 22% between year-end 2014 and 2017.

“The Board’s High Membership Turnover Hindered Its Oversight Role.”

Indeed, between 2009 and 2019 when it merged with Access Bank, Diamond Bank had three different CEOs and three different board chairmen. This only meant two things:

  • A continuous erosion of the independence of the Board and;
  • A badly destabilised board membership

While new board members can make a positive contribution to a bank’s governance by bringing in fresh insights and experience, the new appointees at Diamond tended to lack sufficient knowledge of the bank. The board’s high membership turnover, therefore, hindered its oversight role.”

As it stands now, it appears Diamond Bank’s fate has been sealed. The merger is merely an official language. Access Bank expects to help Diamond Bank rewrite a different history. But whether the Phoenix rises again is merely a matter of time. The deed has been done and other businesses have to learn their lessons. 

Charles Rapulu Udoh

Charles Rapulu Udoh, a Lagos-based Lawyer with special focus on Business Law, Intellectual Property Rights, Entertainment and Technology Law. He is also an award-winning writer. Working for notable organisations so far has exposed him to some of industry best practices in business, finance strategies, law, dispute resolution and data analytics both in Nigeria and across the world.