THE FLUTTERWAVE SHENANIGANS

In February and March, 2023 it was reported that Flutterwave, a fintech was hacked and customer funds, amounting to over N2.9 billion, held in Flutterwave accounts, were illegally transferred to several bank accounts in Nigeria. Flutterwave submitted a petition to the Nigeria Police concerning the hack and illegal transfer and based on the petition, the Police brought an application to freeze accounts in 27 financial institutions in Nigeria where some of the funds were transferred to and the court granted the application. In the affidavit in support of the application to freeze accounts, the Investigating Police Officer; Inspector Adebowale Michael deposed or swore in paragraphs 1, 3 and 4 as follows:

"(1) That am the above-named person as well as the investigating police officer in a case of Conspiracy and fraudulent transfer reported by Flutterwave Technology Solution Limited through his counsel Albert Onimole, legal practitioner by virtue of which I am conversant with the fact of this case.

(3) That a case of Conspiracy and Fraudulent transfer was reported to the Police via petition written by Albert Onimole & Co. on behalf of Flutterwave Technology Solution Limited bothering on allegation of Conspiracy, stealing and fraudulent transfer over Two billion naira having hacked into the complainant account. Copy of the Petition is hereby attached and marked exhibit ‘A’.

(4) That it was revealed in the course of investigation that the suspected hackers hacked into the cyber space of the complainant and transferred over two billion naira to various accounts listed on this application. Copy of the statement of the Complainant is hereby attached and marked exhibit ‘B’."

Flutterwave in its official statement, said; “During a routine check of our transaction monitoring system, we identified an unusual trend of transactions on some users’ profiles. Our team immediately launched a review (in line with our standard operating procedure), which revealed that some users who had not activated some of our recommended security settings might have been susceptible.” However, the fintech flatly denied that any user lost any funds, as its security measures were “able to address the issue before any harm could be done to our users”.

This denial is in stark contrast to the contents of the petition and affidavit earlier mentioned. If no user funds were lost, how come there was a petition to the police and an application to freeze accounts? The denial and statement shifting blame to "some users who had not activated some of our recommended security settings" is typical of what many financial institutions in Nigeria say whenever a customer complains of unauthorised withdrawals or transfers from their accounts. In the case of Barrister Wole Abidakun v. Diamond Bank Plc.(Suit No: CV/2779/18), which involved unauthorized transfer from customer account, Justice Kutigi of the High Court of the FCT, while delivering judgement on 23 June, 2021 observed thus:

“I agree that because these facilities have security features known only to the customer  and  so  the  customer  bears  some  responsibility  to  secure  them,  once however  a  customer  makes  a  serious  complaint  of  foul  play  in  his  account,  the usual  standard  and  rather  lazy  and  lame  response  by  Defendant  Bank  that  the customer has compromised the security features will not stand or fly in the absence of a forensic investigation to determine responsibility.  There must be proper in-house  and  then  police  investigations  showing  clearly  and  positively  that  the customer  must  have  indeed  compromised  the  security  features  or  given  his  PIN numbers to a third party.  Bare and empty verbal assertions will not suffice in this age of savvy and sophisticated criminals.”  

Now, if it were in the United States, where data breaches and hacks are not tolerated by the financial services regulators, Flutterwave would have been in big trouble. The regulators would have carried out investigations and Flutterwave would have been fined heavily if found wanting. Flutterwave customers would have also likely filed a class action against the fintech.

For instance, in 2020 in the US, a class action was filed against Bank of America for failing to provide sufficient protections for unemployment payment debit cards after thousands across California, fell victim to fraud. Among the issues that were raised in the case against the bank was the lack of secure microchips in unemployment debit cards, a failure to secure private account information and a sluggish response to consumer fraud reports.

Also in the United States, the Consumer Financial Protection Bureau (CFPB) in 2016, found that online payment platform Dwolla, deceived consumers about its data security practices and the safety of its online payment system and therefore ordered Dwolla to pay a $100,000 penalty and fix its security practices.

As of May 2015, Dwolla had more than 650,000 users and had transferred as much as $5 million per day. For each account, Dwolla collected personal information including the consumer’s name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a unique 4-digit PIN.

From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. They claimed also that they encrypted all sensitive personal information and that its mobile applications were safe and secure.

However, it was found that Dwolla’s data security practices in fact fell far short of its claims. Specifically, the CFPB found, among other issues, that Dwolla misrepresented its data-security practices by:

(1)Falsely claiming its data security practices “exceed” or “surpass” industry security standards: Contrary to its claims, Dwolla failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.

(2)Falsely claiming its “information is securely encrypted and stored”: Dwolla did not encrypt some sensitive consumer personal information, and released applications to the public before testing whether they were secure.

The above action of the CFPB in the US represents how a regulator should act in the face of continuous data breaches and/or hacks.  In 2022 it was MTN Mobile Money Bank that was hacked but it is unclear what actions, if any, the  regulators in Nigeria took or made against MTN, concerning the breach or hack. The Federal Competition and Consumer Protection Commission, the Central Bank of Nigeria, the Nigeria Deposit Insurance Corporation, and the newly created Nigeria Data Protection Commission needs to sit up and do more.

It is therefore, high time that the regulators in Nigeria mentioned above woke up to their responsibilities and took punitive action against erring financial institutions in Nigeria for data breaches and hacks. Perhaps the fear of sanctions will make the financial institutions to improve on their cyber security practices and better protect customer funds/deposits in their custody.

It is also recommended that there should be a quarterly or yearly report made available to the public, showing financial institutions that were sanctioned for failing to comply with relevant industry cybersecurity framework and/or data protection regulations.

 

 

HURRAAAAY!!! NAIJA CYBERLAWYER BLOG IS 10YRS OLD

On June 3, 2023 Naija Cyberlawyer blog turned 10. The very first blog post on the blog was posted on June 3, 2013. The blog initially started as cyberlawmusings.blogspot.com but after some time I decided to change the name to naijacyberlawyer.

I had wanted to study for an LLM in International Law but along the line, I lost interest in International Law because the more closely I followed happenings in the field, the more it was dawning on me that International Law was more of politics than law, as many a times, nations that were stronger economically, politically and militarily would break International law and get away with it.

My interest then shifted to issues bothering on the intersection of law and technology such as electronic or computer generated evidence, cybercrime, etc. I started reading up blogs and websites by people in that field of law. My interest grew to a point that I wanted to study for an LLM in any course featuring a convergence or intersection of law and technology and probably end up as a tech policy analyst or a cyberlaw or techlaw guru. 

I applied to some universities like the University of Strathclyde, Glasgow, Scotland for the LLM in Internet Law and Policy and I was offered admission in 2012 and 2014 but was unable to go for studies due to lack of finances. I also applied to University of Tartu, Estonia in 2018 but was not offered admission.

In the course of researching and reading up blogs and websites relating to tech law policy and related issues, and following people who were already in the field on social media, Twitter to be specific, I came across one Adam Thierer and his post: “So You Want to Be an Internet Policy Analyst?”. In the post he advised that:

“Start a blog or start blogging with others: If you’re already doing so, that’s great. But kick it up a notch. Just find anything that interests you — an academic paper, a news report, another blog post — and write about it. Even if you just summarize that other piece and add a line or two of commentary, that’s something. It’ll help get your name out there and help you develop your own brand…”

The above advice gave me the inspiration or motivation to start my own blog so that I could put out my thoughts on tech law matters and maybe, sell myself.

While trying to set up the blog, I also stumbled upon a similar blog by Chukwuyere Ebere Izuogu; a Nigerian lawyer who had obtained an LLM degree in Information Technology and Intellectual Property Law from foreign universities. A friend; Victor Dibia, a computer science graduate, whom I met during the National Youth Service in 2009, and who was somewhat fascinated by my interest and knowledge of basic computer usage, introduced Chukwuyere's blog to me in 2012 or thereabouts.

I also came across a blog by US based, Ms Uduak Udouk, a laywer specializing in fashion and entertainment law, while trying to start my blog. Those two blogs helped me in designing the outlook and layout of my blog.

As earlier stated by Adam Thierer that a blog will help get your name out there and help you develop your own brand,  I can rightly say that the blog has helped to get my name out there. I have received several emails from strangers who got to know about me from my blog posts, soliciting for tech law related advice. I have also been approached by professional colleagues seeking for advice on tech law related issues.

Furthermore, I have also held a Whatsapp group chat on the topic: “Laws on Cyberbullying and Protection of Personal Information on the Cyberspace in Nigeria”, with law undergraduates from Bowen University. A student from the university read one of the posts on my blog, got my email from the blog and then contacted me via email. We then set up a Whatsapp chat with the law students.

On the whole, I can say that blogging about tech law and related issues, has been a worthwhile venture. However, I think that with more commitment and better focus, I would have done much better in the tech law field in Nigeria.

Below are the top five read blog posts from the past 10 years:

1)   The Dangers of the Internet of Things(IoT)

2)  LAWYER SUES FCMB & UBA OVER N8, 000.00 WRONGFULLY DEBITED FROM         HIS ACCOUNT, CLAIMS N10M DAMAGES

3) THE TAKING OF WITNESS EVIDENCE THROUGH VIDEO CONFERENCING                 UNDER NIGERIAN     LAW

4)   A GREAT DAY FOR ATM USERS IN NIGERIA

5)  Freedom of Expression and the Blogger under Nigerian Law