In the past few years, the Ugandan technology landscape has been marred by a number of cyber security breaches. These breaches have not only resulted in financial losses for the affected organizations but have also eroded trust among users and customers. In this post, we will take a look at some of the most notable cyber security breaches in Uganda and the lessons we can learn from them.
In Uganda, telecommunication companies have embraced digital transformation that has significantly improved their business performance. The transformation has supported decision-making at the different levels of management and increased financial inclusion in the country. With Uganda’s economy growing at approximately 6% per annum, the telecom sector is growing at 17.4% per year, providing one of the best gross revenue turnovers in the country. The total telecom subscribers increased by 157% over the last 10 years, from 10 million in 2009 to 25.7 million in 2019. The internet penetration increased by approximately 15 million, which represents 165% growth (UCC, 2019)
The rapid growth of internet usage and digital services in Uganda has unfortunately been accompanied by a rise in cyber security breaches.
In this article, we will explore a list of cyber security breaches and their origins in Uganda, as well as the lessons we can learn from them to improve our cyber security practices.
The scale of cybercrime in Uganda continues to be significant. According to the Uganda Police Force:
“In 2025, a total of 412 cases were reported to Police, compared to 474 in 2024, giving a 13.1% decrease. Out of these, 101 were taken to Court, of which 26 secured convictions, 11 dismissed, and 64 pending in Court. 64 cases were not proceeded with while 247 are still under inquiry.”
— Uganda Police Force, Annual Crime Report 2025, Chapter 1: Crime Analysis
Reported cybercrime cases have fluctuated over recent years: 286 cases in 2022, 245 in 2023, a sharp rise to 495 in 2024 (later revised to 474), and 412 in 2025. While the 2025 figures show a welcome decline, the high number of cases still under inquiry and the low conviction rate underline the need for stronger enforcement and cyber hygiene practices.
1. Uganda Electricity Transmission Company Limited (UETCL) Data Breach (2025)
In August 2025, Uganda Electricity Transmission Company Limited (UETCL), the state-owned entity responsible for purchasing and transmitting bulk electricity through Uganda’s high-voltage grid, was listed as a victim on a dark web leak page attributed to the Qilin ransomware group. Unlike a traditional ransomware attack, this incident was characterised as a data-leak event, with Qilin publishing claims and partial data on their leak site between August 12 and 19, 2025.
The leak page alleged that exposed data could enable attackers to cause deliberate blackouts and claimed suspicious profit-sharing arrangements between UETCL and foreign technology providers, though both claims remain unverified and are consistent with Qilin’s known pressure tactics.
Personally identifiable information such as email addresses was partially redacted in the visible content, no specific ransom demand was published, and the full scope of the leak remains unknown. The attack was part of a coordinated regional campaign, as Qilin also listed Kenya Electricity Generating Company (KenGen) on the same leak site just days prior, suggesting a deliberate effort to target East Africa’s energy sector.
This pattern of targeting multiple utilities in quick succession is a known extortion tactic designed to signal capability and pressure each victim into paying before further data is released. The UETCL breach highlights the growing exposure of critical national infrastructure to sophisticated ransomware groups and the urgent need for Uganda to invest in securing the systems that underpin its electricity network.
2. Bank of Uganda Breach (2024)
In November 2024, hackers infiltrated the Bank of Uganda’s (BoU) treasury systems and executed fraudulent transactions that siphoned off approximately $16.2 million (60 billion shillings) to suspicious accounts in Japan. The heist involved two debt service payments that were allegedly routed to erroneous recipients, with BoU Deputy Governor Michael Atingi-Ego later attributing the misdirected payments to a mistaken directive from the Ministry of Finance, Planning, and Economic Development.
A subsequent forensic audit by the Auditor General exposed systemic flaws and possible criminal intent in the management of public funds, with findings presented to Parliament on January 9, 2025. Speaker of Parliament Anita Among, after consulting President Yoweri Museveni, referred the report to Uganda’s Criminal Investigations Directorate (CID) for further investigation, citing the criminal nature of the elements uncovered.
The Deputy Governor disclosed that $8.2 million of the stolen funds had been recovered, though the remainder has not been accounted for. The incident exposed deep vulnerabilities in Uganda’s financial infrastructure and prompted urgent calls from lawmakers and citizens for accountability and systemic reforms. It stands as one of the most significant cyber heists targeting a central bank in East Africa, reinforcing the urgent need for robust cybersecurity measures across Uganda’s public financial institutions.
3. Uganda Security Exchange Breach (2022)
In 2019, the Uganda Securities Exchange (USE) suffered a significant data breach that exposed the personal information of its customers. The breach was caused by a misconfigured firewall on an audit logging server that was introduced during an upgrade of USE’s Know Your Customer (KYC) system.
This misconfiguration created an open port through which unauthorized individuals were able to access sensitive personal data for approximately twelve days before it was discovered. The exposed information included National Identification Numbers (NINs), names, dates of birth, email addresses, physical addresses, and telephone numbers.
The breach was traced to Soft Edge Uganda Limited, a third-party technology partner contracted by USE to assist with the KYC system upgrade. The Personal Data Protection Office conducted a formal investigation, interviewing representatives from both USE and Soft Edge Uganda Limited, and officially confirmed that a data security breach had occurred. The incident underscored the risks organizations face when engaging third-party vendors without ensuring adequate security controls are in place throughout the engagement.
4. Pegasus Technologies Ltd Data Breach (2020)
In October 2020, hackers exploited a security vulnerability in Pegasus Technologies, a Kampala-based financial and billing aggregator serving Uganda’s telecoms and banking sectors, stealing an estimated $3.2 million.
The attackers used approximately 2,000 mobile SIM cards to infiltrate the mobile money payment system, instructing banks to transfer funds to telecom companies that then paid out mobile money across the country. MTN Uganda and Airtel Uganda were forced to suspend mobile money transactions between their networks following the breach, severely disrupting financial services for millions of users.
Two suspects linked to Pegasus Technologies were subsequently arrested by police, who permitted the affected companies to audit their accounts to determine the full extent of the damage. The incident highlighted the systemic risk posed by third-party financial aggregators and the vulnerability of mobile money infrastructure that millions of Ugandans, particularly the unbanked, depend on daily.
5. Uganda Revenue Authority (URA) Data Breach (2011)
In 2011, investigations at the Uganda Revenue Authority (URA) were triggered by a suspicious entry in the vehicle registration database, which led authorities to customs officer Jacob Emmanuel Murwon, whose computer was found to have spyware secretly transmitting data to an external address.
Forensic examination revealed that the URA’s Automated System for Customs Data (ASYCUDA) had been compromised, with more than 150 vehicles registered without any corresponding tax payments and with forged bank receipts used to clear them. The trail led investigators to Guster Nsubuga and Robinhood Byamukama, a former URA software programmer who had worked at the authority for over three years and retained detailed knowledge of its systems.
Byamukama had used a company-issued MTN laptop to access URA’s servers and, together with Nsubuga, manipulated vehicle registration records, swapping chassis and engine details between vehicles in the database. Four suspects (Nsubuga, Byamukama, Richard Kibalama, and Farouk Mugeere) were arrested on URA premises in Nakawa, with three laptops and other electronic devices seized as evidence. The total loss from the compromised URA system was computed at approximately UGX 2.46 billion.
In 2013, the High Court’s Anti-Corruption Division convicted Nsubuga and Byamukama on charges of computer misuse and electronic fraud, sentencing each to 12 years’ imprisonment on the lead count, with concurrent 8-year terms on the remaining counts.
Key Lessons from Uganda’s Cyber Security Breaches
- Third-party vendors are a significant attack surface. Several breaches, including USE and Pegasus Technologies, originated through technology partners with insufficient security controls. Organizations must vet vendors rigorously and enforce contractual security standards.
- Insider threats and privileged access require strict oversight. The URA breach was enabled by a former employee who retained detailed system knowledge. Role-based access controls, regular access reviews, and monitoring of privileged accounts are essential safeguards.
- Critical infrastructure is an increasingly high-value target. The UETCL and Bank of Uganda incidents show that state-owned entities managing money and power are prime targets for sophisticated threat actors. These organizations must adopt security standards commensurate with the risk they carry.
- Incident response and public communication plans are essential. Delayed detection, forensic gaps, and unclear public messaging amplified the damage in multiple cases. Organizations should invest in detection capabilities, rehearsed response plans, and clear communication protocols before a breach occurs.
- Regional cooperation is necessary to combat coordinated attacks. Qilin’s simultaneous targeting of UETCL and KenGen illustrates that cyber threats do not respect borders. Uganda and its East African neighbours must share threat intelligence and coordinate responses to attacks on shared critical infrastructure.