by Edison Irabor
Patricia, an alternative payment solutions company that is known to offer crypto-trading and gift-card services, has suffered a hack, according to its Downtime Update to users via its Twitter handle and email of 27 May 2023. Consequently, Patricia has suspended withdrawals for retail users.
As announced by Patricia, not long ago, Patricia became a victim of a breach. Patricia Personal, one of its three arms, “was solely affected by this breach”. Patricia Personal is the retail-trading application of the crypto trading and gift card platform. Users of Patricia OTC Desk and Patricia Business have not been affected. Also, as stated in the notice, only “BTC [bitcoin] and Naira assets were compromised”. Alternate coins such as Ethereum, DogeCoin, USDT etc. remain available for withdrawal on the platform.
Withdrawals temporarily suspended, announces Patricia
Patricia is “temporarily suspending withdrawals on [its] app (mobile and web)”. This, according to Patricia, is due to the internal restructuring that the platform is undergoing.
At the time of writing this report, no detail has been provided by Patricia concerning the nature of the breach, when the breach occurred, how the breach must have arisen, and who was involved. No restructuring detail has been provided either.
As stated in its public notice, other than its BTC and Naira assets on its retail trading platform, “[e]very other crypto balance remains unaffected”. Patricia then “assure[s] the public that all [its] customers’ and merchants’ assets are secure”.
Patricia assures customers that it is taking “security measures” to ensure safety of their funds while investigations continue.
Patricia has assured customers that customers’ and merchants’ assets are secure. In Patricia’s words, it is “working to strengthen [its] security measures”.
According to Patricia, its “security team, with the help of law enforcement agencies, has been able to identify an individual among the syndicated group responsible for this breach.” Patricia says it would be “continue to pursue this lead and work with security agencies and other partners to ensure thorough audit of the situation and recover the assets”.
So far, Patricia “with the help of law enforcement agencies …. has been able to identify an individual among the syndicated group responsible for this breach.” Patricia says it would “continue to pursue this lead and work with security agencies and other partners to ensure thorough audit of the situation and recover the assets”.
Meanwhile, Patricia Founder & CEO, Hanu Fejiro Agbodje Patricia, has asked for user’s patience via his Twitter handle:
But some Patricia customers, understandably, remain distrusting and disgruntled. Reportedly, before Patricia’s announcement of temporary suspension of withdrawal, Patricia users have been experiencing issues over the months, including difficulties in accessing their accounts, as seen in tweets replying to the notice on Twitter.
Reactions from Patricia user community on Twitter has been a mixed bag, as the shot below shows:
Patricia hints at why it became the target of hackers.
Seeming to explain why Patricia has experienced the hack of its Patricia Personal platform, Patricia believes that the public recognition it got after Patricia became a “household name” brought “its fair share of risks” with it.
Patricia is a two-time sponsor of the popular reality TV show, Big Brother Naija. As one of the sponsors in 2020 and 2021, Patricia enjoyed millions of views, becoming quite popular, along with Abeg, the headline sponsor of the show. Patricia’s role at Big Brother Nigeria earned Patricia’s Founder & CEO a spot in CAB’s Top 20 Individuals that shaped Nigeria’s blockchain & crypto industry in 2021.
In 2020’s Big Brother edition, 900 million votes were reportedly recorded in the show, generating an estimated 27 billion naira ($71million). About 50% of the show’s viewership is Nigeria, a third of the viewership is from South Africa while the rest are from Botswana, Ghana, Kenya, Namibia, Uganda and other countries.
Reportedly, the hack was suffered by Patricia in January 2022 and the company lost $2 million.
Patricia’s notice to users did mention that the hack or breach was “not long ago”. The specific period is January 2022, as reported by TechCabal’s news editor, Olumuyiwa Olowogboyega.
Also, although Patricia has not disclosed the sum involved in the incident at the time CAB was writing this report, Patricia reportedly lost $2 million.
At the time of writing, Patricia has not responded to the reported figure and period above.
Patricia reserves the right to limit access to user accounts and not disclose details of risk management or security procedures to its users, according to its ToS.
Under its terms of service (ToS), Patricia, which boasts an ISO Certification (ISO 9001, 27001), reserves the right to limit access to user accounts. Similarly, Patricia reserves the right to not disclose details of risk management or security procedures to its users:
If we limit access to your Patricia user account, including through the placement of a lien, we will provide you with notice of our actions, and the opportunity to request restoration of access if, in our sole discretion, we deem it appropriate. Further, you acknowledge that Patricia’s decision to take certain actions, including limiting access to your Patricia user account, may be based on confidential criteria that is [sic] essential to our management of risk, the security of other Patricia users’ accounts and the Patricia system. You agree that Patricia is under no obligation to disclose the details of its risk management or its security procedures to you.
Also, according to Patricia’s ToS, the use of Patricia or the services it provides are governed by the laws of the State of Lithuania. As published on Patricia’s website, Patricia is registered in Lithuania (305919619). It is also registered in Canada (BC1364279) and South Africa. Patricia Technologies Limited, as registered in Nigeria in April 2018, appears to be currently inactive, according to the public database of the Corporate Affairs Commission (CAC).
Patricia in Numbers
As published on Patricia’s website, Patricia moved from 2 to 350+ employees (but laid off a number of staff in 2022), 1 to 8+ locations, and 5k to 30k+ daily transactions. Patricia also launched “Africa’s first and only Bitcoin Debit card”, “bagged 5 different awards and was named Fourth Canvas’ African Challenger Brands Top 20, all in four years”. At the time of writing, Patricia has up to 850,000 registered user accounts; 10,000 daily active users; 30,000 daily transactions, and serves 10+ countries. This is as represented by Patricia on its website.
In July 2021, Patricia announced that it had moved its operations to the Republic of Estonia, with headquarters now domiciled in the northern European country. According to Patricia, this was part of its global expansion strategy, “whilst also positioning [Patricia] as the leading cryptocurrency trading company in Nigeria, Africa, and Europe”. In the same period, Patricia launched several new features on its app, including crypto swap; crypto bet; new coins and tokens for trading; and enabling international transactions.
Referring to the cryptocurrency restriction in Nigeria’s banking and financial system by the Central Bank of Nigeria (CBN), Founder & CEO, Hanu Fejiro Agbodje said that “[w]hat originally came as disastrous news turned out to be the cornerstone we needed for this worldwide expansion”.
Patricia was founded 16 August 2017, starting its first transactions on WhatsApp. It didn’t launch a website until 20 November 2018 and recorded its first 1,000 daily transactions on 2 May 2019. Patricia App was launched 1 March 2020. Its back-to-back sponsorship of the most popular reality TV show in Africa, Big Brother Naija, rocketed it to the moon, at least as far as popularity was concerned.
Crypto experts and players react
Adedeji Owonibi, Senior Partner at A&D Forensics, believes that the Patricia breach incident reinforces the need for a robust cybersecurity system:
This underscores the need for periodic cyber security checks on exchange systems. Penetration testing and vulnerability assessment will have to be an ongoing operation within exchange systems. And for founders, never comingle customers funds with your operational funds. I can’t emphasize that enough, particularly for young startup founders within the Nigeria crypto space. In fact, some persons even argue that there was never a hack on Patricia, with many believing it was rug-pulled. Proper investigations however will reveal what really went wrong and help clear doubt. We at A&D forensics will be glad to help with this.Adedeji Owonibi, Senior Partner at A&D Forensics
Kunle Taiwo, CCI, a digital forensics detective and investigator with the Nigeria Police Force, also emphasized the need for crypto exchanges to adopt standard measures that help ensure consumer protection and investor safety in the crypto industry:
Hacks and data breaches have become quite common with cryptocurrency exchanges, according to blockchain data platform Chainalysis. Hacking remains a major barrier to cryptocurrency adoption. Cryptocurrency exchanges are a major target for hackers, with over $20 billion stolen in 2022. The cryptocurrency market, saw a significant number of hacks to date, the latest being Patricia crypto exchange. Patricia hasn’t announced the specific cause of the breach, which I believe is at the detriment of its users (the consumers). These trends indicate a growing potential for risk of loss for users who may be lower-income consumers and consequently more vulnerable to financial shocks and least able to weather losses from frauds, hacks, and market volatility. Recent events have highlighted the need for new standards in the crypto industry. To ensure crypto exchange consumer protection, certain baselines should be set as standard measures.Kunle Taiwo, Certified Cryptocurrency Investigator
Similarly, Ruth Iselama, Founder & CEO of Bitmama, commented generally about the need for crypto exchanges to invest more in cybersecurity infrastructure, pointing out that this is a critical step to take as early as possible in the life of a crypto exchange:
Crypto exchange operators must put adequate cybersecurity measures in place. This is especially important early on, before the exchange scales. Besides, cybersecurity is not cheap. Because details of the reported breach is currently unavailable, I’m however unable to comment further on the incident.Ruth Iselama, Founder & CEO, Bitmama
As the reported breach is still a developing story, many industry stakeholders continue to observe. CAB is putting a separate report together featuring more reactions from industry stakeholders.
First, notably, Patricia was originally headquartered in Nigeria, but has eventually relocated its headquarters to Lithuania, after previously perching in Estonia following the CBN cryptocurrency circular of 5 February 2021. From a consumer protection and investor safety point of view, these facts have their legal implications.
Second and most importantly, in handling the current incident, Patricia must not allow any gap in communication otherwise increased distrust is triggered amongst users and other members of the public. If Patricia communicates with its users as transparently as expected; implements measures that will ensure the safety and security of users’ funds as much as it can as assured; and also carries the relevant agencies along as obligated, the situation will most likely not get out of control.
Third, following this latest incident, Patricia management may implement internal measures, such as laying off more staff, pruning down marketing budget, and budgeting more for cybersecurity and compliance, if it isn’t doing so already.
Most hacks or breaches, particularly in the financial services industry, are generally underreported. This is due to the potential loss of reputation, erosion of trust, loss of business and revenue, risk of litigation, threat of sanctions, and more. Centralized crypto exchanges face significant risks. This reinforces the need for crypto exchanges and other virtual asset service providers (VASPs), local and foreign, to take cybersecurity and compliance more seriously. Cybersecurity and compliance is a continual affair. It never stops.
With the National Blockchain Policy indicating the Federal Government’s goal, amongst others, to adopt a risk-based approach to crypto adoption in the country, users and other stakeholders can only hope that the members of the National Blockchain Steering and Implementation Committee, including the Stakeholders in Blockchain Technology Association of Nigeria (SiBAN), succeed in ensuring a safer and more secure industry for all. If the crypto industry wants users and the government to embrace it, confidence and trust is critical.
Patricia, hopefully, will manage the ongoing incident responsibly and effectively while investigations and the entire situation last. This is where accountability, integrity, and transparency come in.
UPDATED 29 May 2023, 11:56 (WAT): To feature reactions from industry experts and players, Adedeji Owonibi, Kunle Taiwo, and Ruth Iselama