Project Tikonze

Woman working on a tablet.
  • Case Study
  • July 17, 2026

Services

Forensic services

Our role

Cyber Incident Response and Digital Forensics

Client

Financial institution

Client issue

A financial institution experienced a cyber incident on its mobile banking platform that was discovered less than three weeks after its new mobile banking platform went live. The discovery followed customer complaints of unauthorised transactions in their accounts. Initial internal investigations had shown a possible breach of the mobile banking platform, evidenced by unknown accounts on the mobile banking servers and databases.

According to the PwC 28th Annual Global CEO Survey, 24% of the CEOs identified cyber risks as one of the biggest threats their organisations are highly and extremely exposed to in the year ahead, ranking it third overall.

Our solution for our client

  • Deployed an incident response tool on the institution’s servers to scan critical servers and endpoints to determine whether the attackers persisted in the rest of the institution's infrastructure.
  • Held discussions with the institution’s staff to understand the set up and the containment measures that had already been implemented.
  • Assessed the measures that the institution had taken to contain the incident to determine their adequacy.
  • Performed digital forensics on affected infrastructure to determine what happened, understand how it happened, identify who was responsible, assess the impact, and preserve digital evidence.
  • Collected and analysed logs from multiple sources, including databases, access points, networks, and the Security Information and Event Management (SIEM) platform.
  • Analysed mobile banking transactions in the period of the incident to determine the irregular transactions.
  • Reviewed documentation and held interviews with branch staff to understand how the threat actors managed to exfiltrate funds from branches following the cyber security incident.
  • Undertook a Vulnerability Assessment and Penetration Testing (VAPT) exercise on the rebuilt USSD banking platform to determine whether any weaknesses that could be exploited existed.

The impact our solution had

Incident containment and active threat neutralisation

Confirmed the incident was contained within the mobile banking platform with no successful breach of the wider infrastructure and identified attacker IP addresses still communicating with the institution's systems for immediate blocking.

Determination of attack origin, attribution and third-party risk mitigation

Traced the attack to the institution's 3rd party SOC provider infrastructure, uncovered extensive abuse of credentials assigned to a specific SOC staff member, and engaged the provider to address the compromise and potential insider involvement.

Attack Vector and Lateral Movement Analysis

Determined how the attacker bypassed USSD banking platform controls to initiate irregular transactions from internal servers, and identified weaknesses that allowed lateral movement, privilege escalation, and over four weeks of undetected access.

Impact assessment and review of internal control gaps and weaknesses exploited

Isolated irregular transactions from legitimate customer activity, and uncovered weaknesses at branch level and in fraud control systems that were exploited to exfiltrate funds through a physical branch.

Strategic remediation

Provided actionable recommendations to strengthen controls across the institution's IT environment, branch operations, and fraud detection systems to safeguard against similar incidents in the future.

Organisations must treat third-party access as a privilege, not a default. Vendors should never operate with unrestricted or unmonitored access. All activity must be scoped, time-bound and logged, with clear accountability and involvement from internal IT and cybersecurity teams.

Learn more about third party risk in our Cyber Digest

Explore our Digital Forensics and Cyber Incident Response services

Follow us

Contact us

John Kamau

John Kamau

Partner | Forensic Services, Eastern Africa Region, PwC Kenya

Tel: +254 (20) 709 895 000

Isaac Gachigua

Isaac Gachigua

Manager | Forensic Services, PwC Kenya

Tel: +254 (20) 709 895 000

Josephat Mwanzia

Josephat Mwanzia

Manager | Forensic Services, PwC Kenya

Tel: +254 (20) 709 895 000

Hide