The Ministry of Communication, Digital Technology and Innovations has confirmed that it is actively investigating a cybersecurity breach affecting approximately 5,700 customers of MTN Ghana.
In a statement issued on Tuesday, 29 April 2025, the Ministry said it is collaborating with key regulatory and oversight institutions, including the Cyber Security Authority (CSA), the National Communications Authority (NCA), and the Data Protection Commission (DPC), to determine the full scope of the incident and ensure that all necessary protective measures are taken in accordance with Ghana’s Data Protection laws.
“The Ministry will ensure that affected customers are contacted in line with Data Protection Laws,” the statement said, adding that efforts are ongoing to establish whether the breach resulted from lapses on the part of the mobile network operator. The Ministry urged the public to remain calm as investigations continue.
This announcement follows a media release from MTN Ghana on Monday, confirming that the company had detected a potential breach involving the data of about 5,700 customers. While MTN assured the public that its core platforms remain fully operational, it acknowledged that preliminary investigations suggest customer data may have been compromised.
MTN, which serves over 29 million mobile subscribers in Ghana, has launched a forensic investigation and is working with leading cybersecurity experts to contain and assess the situation. The company stated that it would contact affected customers directly and has encouraged users to remain vigilant.
As a precautionary measure, MTN is advising customers to strengthen their digital security by updating mobile and banking applications, using strong passwords, enabling multifactor authentication, and refraining from sharing sensitive information such as PINs, passwords, or one-time passwords (OTPs) via phone, SMS, or email.
Customers concerned about possible fraud linked to the breach have also been advised to place alerts on their credit reports with major credit bureaus. MTN maintains that safeguarding customer information remains its top priority and that updates will continue to be provided as the situation evolves.
The Ministry reaffirmed its commitment to ensuring that digital platforms operating in Ghana adhere strictly to cybersecurity and data protection regulations and assured the public of transparency in handling the ongoing investigation.
How safe is the data we provide to Telecommunication companies?
In Ghana, there is a law in place to ensure that the personal data of citizens are protected. The Data Protection Act, 2012(Act 843) to establish a Data Protection Commission, to protect the privacy of the individual and personal data by regulating the processing of personal
information, to provide the process to obtain, hold, use or disclose personal information and for related matters.
Section 28 of Act 843 provides for security measures that need to be put in place to ensure that data is protected.
Security measures
28. (1) A data controller shall take the necessary steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate, reasonable, technical and organisational measures to prevent
(a) loss of, damage to, or unauthorised destruction; and
(b) unlawful access to or unauthorised processing of personal
data.
This section requires organizations, including telecommunications companies, to implement safeguards to protect personal data from unauthorized access, loss, or misuse. It also mandates compliance with security standards to ensure data integrity.
What happens when there is a Security compromise?
In the event that there is a compromise in the security, when the organization or data controller has reasonable grounds to believe that an unauthorized person has acquired or had access to the personal data of an individual, the data controller must notify the Data Protection Commission and the individual of the breach as soon as reasonably practicable by electronic mail, a post to the last known address of the subject, publication in the media or any means that the Commission may direct.
Section 31 of Act 843
31. (1) Where there are reasonable grounds to believe that the personal data of a data subject has been accessed or acquired by an unauthorised person, the data controller or a third party who processes data under the authority of the data controller shall notify the(a) Commission, and (b) the data subject of the unauthorised access or acquisition.
The notification shall provide sufficient information to allow the data subject to take protective measures against the consequences of unauthorised access or acquisition of the data. The data controller will also take steps to restore the integrity of their system to prevent further breaches.
This notification is usually withheld when security agencies advise that the notification will impede an ongoing criminal investigation.
Source: Kweku Zurek, GraphicOnline
