The Harare Institute of Technology (HIT) was robbed by one of its developers, allegedly. About ZW$24 million (~US$2000) was pinched but HIT has recovered $21 million of it so far. These are not huge amounts but theft is theft.
You may have heard that HIT was hacked but that’s not technically what happened. I know, people hear ‘developer’ and they immediately think ‘hacking.’ However, you will find that what this guy allegedly did could have been done by a non-developer.
Arnold Chifamba, a 26-year-old developer, was employed by HIT. It was his responsiblity to integrate HIT’s online application system with Paynow to enable the collection of registration fees.
Due to his access to the system, he decided to change the account where the funds were to be deposited. Instead of using HIT’s account, he changed it to his own Paynow account. This led to HIT funds going into his personal Paynow account.
He did this in 2023 and managed to divert ZW$3 302 564. He then moved the funds from his Paynow account to his CBZ account and that money was in the wind.
2023 was apparently a trial run because this year he stepped it up a notch and diverted ZW$21 217 069,61. Turns out that was a little too much and HIT noticed the missing funds and contacted Paynow.
Chifamba tried to move the funds to his CBZ account again but the funds were frozen after HIT reached out to Paynow. That’s how the $21 million was recovered. The $3 million stolen last year is still to be recovered.
HIT reported the matter to the police and Chifamba was arrested.
Chifamba appeared in court yesterday, the 8th of February, charged with theft. He was granted US$100 bail and will return to court on the 16th of April.
Chifamba did not unlawfully gain access to the HIT system. He was the chief developer working on the Paynow integration and so he had access. He misused this access and changed account numbers. Simple theft.
It was a case of “mbudzi yaidya payakusungirirwa” getting caught.
You would expect that there were other eyes that went over Chifamba’s work. Especially when it involved accounts that would hold HIT funds. You know, at least to check that there were no typos on the account numbers.
Or maybe not, it could be that this simple detail was overlooked, that although Chifamba could make all sorts of communications with Paynow as he worked on the integration, there were certain instructions he could not give Paynow without authorisation.
I think in between queries about API problems and test accounts, Chifamba snuck in his change of account note.
We saw this to a much greater extent when we talked about the deepfake scam that netted criminals US$26m in Hong Kong. An employee had authority to transfer that much money with no oversight.
So, in closing, HIT systems were not hacked. An employee stole from them by changing the organisation’s Paynow account to his. Something some other guy in accounting could have done. They also could have given the developers the wrong account to integrate with.
Let’s be frank though, this was a stupid idea. The Bibles worth of paper trails he left meant it was only a matter of time until he was caught.