Cyber ‘Breachonomics’ lessons from MTN

By Stephen KEMETSE

On April 24, 2025, MTN Group announced a cybersecurity breach. It reported unauthorized access to customer data in several markets without specifying which subsidiaries or countries were affected.

The Group indicated that it had notified South African authorities, including the South African Police Service and the Hawks, also known as the Directorate for Priority Crime Investigation (DPCI).

On April 28, MTN Ghana issued its own statement indicating that the company had suffered a cybersecurity breach that, on initial assessment, may have affected data of about 5,700 customers.

The company assured customers that core systems were secure and that investigations were underway to determine the full scope and impact of the breach. It offered basic security advice to all users.

These swift actions are commendable; however, the incident reporting timelines highlights the possibility of a crucial gap. Global data security frameworks such as the EU’s General Data Protection Regulation (GDPR) set a benchmark of 72 hours for notifying supervisory authorities in the event of a data breach.

Ghana’s Data Protection Act, 2012 (Act 843), requires data controllers to promptly notify the Data Protection Commission and affected individuals when a breach poses a real risk of harm.

We want to believe that these regulatory reporting obligations were not breached. The four-day gap between when MTN Group announced the incident and when the public in Ghana was informed raises potential concerns of speed and sequence of local regulatory engagement, the transparency of communications, and whether multinational firms have adequate country-level incident disclosure processes in place.

We believe that MTN could provide more clarity on whether the breach affected its telecom arm or its financial services operation.

Following regulatory directives, MTN Ghana has structurally separated its telecom operations (voice, data) from its financial services arm (notably, MTN Mobile Money, or MoMo). This distinction matters profoundly.

A breach in the financial services division would trigger heightened scrutiny from the Bank of Ghana under its Payment Systems and Services Act, possibly implicating customer funds, Know Your Customer (KYC) records, and anti-money laundering controls.

By contrast, a breach confined to the telecom arm would primarily engage the oversight of the National Communications Authority and fall under the Electronic Communications Act.

This clarification is required for customers to take meaningful protective steps and for regulators, partners, and industry observers to accurately assess the scale, impact, and necessary safeguards following the breach.

The World Economic Forum reports that firms with board-level cyber oversight are 43percent more likely to avoid severe impacts during attacks.

While we cannot comment on MTN’s internal governance, there are lessons here, not only for multinationals and Ghana’s blue-chip corporates but also for Ghana’s small and medium-scale enterprises.

Cybersecurity is no longer just a technology issue. It is a leadership, risk, and governance priority that directly determines whether revenues are protected or lost.

According to IBM’s 2023 Cost of Data Breach Report, the global average cost of a breach is US$4.45 million. Breaches in financial services often cost more.

In addition, there are regulatory fines, legal liabilities, customer attrition, and long-term reputational damage. In Africa, where mobile money services are essential for millions, the trust stakes are even higher

Another critical area is the commitment to periodic public updates with specific timelines. Without a set schedule, stakeholders are left to fill information gaps with speculation, often magnifying reputational harm.

Already, there are erroneous information circulating on social media platforms about the safety of MoMo wallet balances following MTN Ghana’s announcement of the Data incident.

These heightened speculations can be curbed with committed updates at intervals such as every 48 or 72 hours, which also will signal control, accountability, and transparency.

Customers, regulators, and partners need to know when they will hear next, even if only to say investigations are ongoing. Setting and maintaining a clear update schedule demonstrates strong command over the situation and helps build public confidence.

This incident serves as a wake-up call for all companies, including Ghana’s small and medium-scale enterprises. Cybersecurity is no longer optional. It is a fundamental business priority that ensures financial sustainability.

Companies of all sizes can protect their earnings and customers, safeguard their reputations, and help build a stronger, more resilient digital economy for Ghana and Africa.

>>>the writer is Director, Payplus Africa. He can be reached via [email protected]

The post Cyber ‘Breachonomics’ lessons from MTN appeared first on The Business & Financial Times.

Read Full Story