Services
Forensic services
Our role
Cyber Incident Response and Digital Forensics
Client
Financial institution
A financial institution experienced a cyber incident on its mobile banking platform that was discovered less than three weeks after its new mobile banking platform went live. The discovery followed customer complaints of unauthorised transactions in their accounts. Initial internal investigations had shown a possible breach of the mobile banking platform, evidenced by unknown accounts on the mobile banking servers and databases.
According to the PwC 28th Annual Global CEO Survey, 24% of the CEOs identified cyber risks as one of the biggest threats their organisations are highly and extremely exposed to in the year ahead, ranking it third overall.
Incident containment and active threat neutralisation
Confirmed the incident was contained within the mobile banking platform with no successful breach of the wider infrastructure and identified attacker IP addresses still communicating with the institution's systems for immediate blocking.
Determination of attack origin, attribution and third-party risk mitigation
Traced the attack to the institution's 3rd party SOC provider infrastructure, uncovered extensive abuse of credentials assigned to a specific SOC staff member, and engaged the provider to address the compromise and potential insider involvement.
Attack Vector and Lateral Movement Analysis
Determined how the attacker bypassed USSD banking platform controls to initiate irregular transactions from internal servers, and identified weaknesses that allowed lateral movement, privilege escalation, and over four weeks of undetected access.
Impact assessment and review of internal control gaps and weaknesses exploited
Isolated irregular transactions from legitimate customer activity, and uncovered weaknesses at branch level and in fraud control systems that were exploited to exfiltrate funds through a physical branch.
Strategic remediation
Provided actionable recommendations to strengthen controls across the institution's IT environment, branch operations, and fraud detection systems to safeguard against similar incidents in the future.
Organisations must treat third-party access as a privilege, not a default. Vendors should never operate with unrestricted or unmonitored access. All activity must be scoped, time-bound and logged, with clear accountability and involvement from internal IT and cybersecurity teams.
John Kamau
Partner | Forensic Services, Eastern Africa Region, PwC Kenya
Tel: +254 (20) 709 895 000