In May 2025, there were news reports that Equity Bank had fired over 200 employees for actions that led to the loss of a staggering 1.5 billion shillings. That is billion with a B.
I did not find an official statement providing details on this but one news report said that the money was taken after stolen login credentials from a manager at the Group Processing Centre were used to authorise over 40 large transactions, redirecting funds into external accounts. This is not much detail but we can examine various possibilities of how this would work.
The issue here is similar to the case I wrote about a while back, where someone hacked the government’s payroll, inserted himself as a Member of Parliament and received a salary as an MP. The question there was, was inserting his details in one place enough for him to receive an unauthorised salary, or did he hack multiple systems or data storage points?
Similarly, was stealing one manager’s password enough to access 1.5 billion shillings or did the insiders find or create a chain of loopholes to allow the theft? Either option is not good.
I have also written before about separation of duties, where it should require more than one person to carry out a significant transaction from start to finish, and also about the principle of least privilege, where each employee should have only the system permissions needed to do their specific work, and no more. I wonder if these two principles were implemented at the bank.
Of course, it is possible for multiple employees to collude and pull of a heist. I think it is unlikely that 200 people colluded on anything. Also, having 200 employees discussing and planning anything significantly increases the likelihood that someone will report about the planned heist. I think it is more likely that a loophole was discovered and individual employees heard about it and independently exploited it, much like the case of the Ethiopian bank, where the bank’s system allowed individuals to withdraw more money than what they each had in their own accounts. Either option – collusion or individual action – also raises questions about the organisational culture and hiring practices. In the bank’s defence, though, the bank is said to have about 14,000 employees, so 200 people would be less than 1.5% of the staff.
I would also be very interested in knowing how the loss was detected.
Fun fact: If all the 200 staff were guilty and if the money was to be shared equally, 1.5 billion divided by 200 people would give each of them about 7.5 million shillings.
Lessons
1) Implement the principle of separation of duties – don’t have one person holding the key to the vault.
2) Implement the principle of least privilege – don’t give more power than needed.
3) Examine if your organisational culture and hiring practices actually support your organisation’s objectives.
4) Consider and implement low-tech reporting mechanisms that would bring unusual activity to the attention of relevant staff.