In March 2024, the Commercial Bank of Ethiopia, the country’s largest commercial bank, had a technical “glitch” that allowed customers to withdraw more money than they had in their accounts. The glitch lasted for several hours before the bank froze all transactions.
News of the glitch spread rapidly on social media, particularly among university students, who flocked to ATMs on campuses to withdraw cash. Some initial reports estimated that about $40 million was withdrawn or transferred to other banks but the bank later said that the figure was about $14 million and that most of it had been recovered.
The bank reportedly did not explain exactly what the problem was, but said the glitch occurred during “maintenance and inspection activities” and was not the result of a cyber-attack.
Now, if acts by malicious actors have been ruled out, then something was changed in the banking system by a non-malicious person. CNBC reported that a CBE spokesperson said the problem arose from an internal application update. This suggests that the bank either does not have an adequate change management procedure, or that that procedure was not followed. A change management procedure evaluates any proposed changes to a system and considers the implications of those changes to existing systems, before allowing or disallowing the changes.
In addition, it seems the bank also does not have a system that can detect and/or stop unusual activity in the the banking system. It was only after about 490,000 transactions, carried out over at least two hours, that the bank stopped transactions.
The lessons should be clear:
- Develop, and actually follow, a proper change management system.
- If your organisation is handling tens of millions of dollars, invest in a system that can detect and stop (or at least alert on) abnormal trends in the system.