Shared passwords almost cost the Bank of Uganda 24 million dollars



Unknown individuals have made four attempts to illegally transfer US$24 million (UGX81 billion) from the Bank of Uganda to accounts located outside the country.

Officials within the Government of Uganda are believed to have shared passwords with tech-savvy individuals who then logged in to the financial management system and targeted the accounts of the Defence, Energy and Agriculture ministries and the Uganda National Roads Authority (UNRA). 

These accounts routinely handled large transfers, so the planned theft would have appeared as a normal transaction at the time.

The transactions were initiated through the Integrated Financial Management Information System (IFMIS) at the Ministry of Finance, an information system meant to keep track of transactions carried out by and on behalf of the Government.

The payments were to be processed through Bank of Uganda and wired to fictitious companies in Hong Kong and the United Arab Emirates.

US$8 million (UGX27 billion) was wired to banks in Hong Kong and the United Arab Emirates, but this has since been retrieved through inter-bank procedures and returned in February 2016.

The first of three attempted transfers happened in July 2015, when US$12 million (UGX40 billion) was targeted. The plot was foiled, but this did not deter the individuals, who then attempted to steal $2 million (UGX6.7 billion) in December 2015.

In January 2016, another attempt was made to withdraw US$2.3 million (UGX8 billion) but the transaction was detected and terminated.

The Ministry of Finance first notified Uganda Police of the breach of security when the first attempt was made in July. Three suspects have since been arrested and are in police custody.

While IFMIS as an information system is secure, it is unclear how the fake companies were registered on the system, raising suspicions of possible collusion between government officials and hackers outside the country.

The attempted fraud comes three years after Uganda instituted financial integrity measures to seal loopholes following the theft of US$17 million (UGX60 billion) in donor funds meant for northern Uganda from the Office of the Prime Minister.

Kenya has also seen similar losses through fraudulent transactions carried out on IFMIS. 791 million shillings (US$ 7.8 million) cannot be accounted for, and the circumstances around that loss are similar to what has happened in Uganda.

Systems such as IFMIS have been introduced as a means to eliminate corruption, but they are not entirely foolproof. Where there’s a will, there’s a way, especially when the will is to break into and steal from a system designed to prevent theft.

The major weak point appears to be shared passwords and remote access, meaning that individuals can log in and impersonate government officials, creating accounts and initiating transfers to these accounts. The theft is likely to continue as long as these transactions are carried out without oversight and approval.

Start the discussion
on this article at