As the use of mobile money and digital banking services in Africa has become commonplace, so has the rise in risk to personal data. At the end of April 2025, MTN Ghana was exposed to a ransomware attack, resulting in a data breach that highlighted the growing vulnerability of technology platforms to privacy risks. The so-called ‘sophisticated ransomware attack’ compromised the personal data of approximately 5,700 MTN Ghana customers; no doubt prompting many of Ghana’s Data Protection Supervisors, the Ghanaian equivalent of Data Protection Officers (DPOs), to revisit internal privacy and security frameworks to ensure existing risk mitigation strategies remain effective.
Although the nature of the hackers’ demands remain undisclosed, MTN Ghana has confirmed that the exposed data may include names, surnames, and mobile numbers. The telecom operator stressed that the data compromised did not include billing or mobile wallets, with operations already back to normal.
Under Ghana’s Data Protection Act, 2012, data controllers must report breaches “as soon as is reasonably practicable,” though the law does not set a strict timeframe. However, the Cybersecurity Act, 2020, requires incidents to be reported within 24 hours of detection, highlighting the growing regulatory emphasis on prompt breach notification.
This breach is not an isolated case, with cyberattacks on telecoms companies increasing across Africa. Earlier this year, South Africa’s Cell C experienced a ransomware attack, while Telecom Namibia suffered a breach that resulted in the loss of over 600GB of customer data. South Africa’s telecommunications sector is subject to more than 1,000 cyberattacks each week, according to cybersecurity firm Check Point.
These incidents highlight the need for stronger, proactive data protection and cybersecurity strategies across technology platforms, and crucially, the need to have an expert team in place that not only understands the regulations but the importance of a swift response.
HewardMills’ experienced data protection professionals play a crucial role in supporting organisations to navigate these challenges and mitigate future data breach implications.
Our Ghanaian team of Data Protection Supervisors, alongside a global team of Data Protection Officers, work closely with internal privacy teams to ensure compliance with local regulations. From reviewing current privacy postures to providing specialist outsourced data protection services, we can provide strategic advice to mitigate risks wherever your organisation operates.
