“Those who poison the air around others inhale the same taint.”
On April 24, 2025, MTN Group, Africa’s largest mobile operator, confirmed that an “unknown third party” gained unauthorised access to parts of its systems, exposing customers’ data in selected markets. While MTN insists core services (mobile money, billing, network infrastructure) remain secure, the breach rings alarm bells in Ghana, where TELCOs hold vast biometric records locally, and possibly, on offshore backup servers from past SIM‐registration drives. This article explains the risks for Ghanaian subscribers, examines the fraught history of biometric SIM registration, and spotlights global precedents that warn of potentially irreversible harm if fingerprints and facial scans fall into malicious hands.
MTN is said to have detected unusual activity on parts of its IT ecosystem on April 23, 2025. An initial forensic probe confirmed unauthorized access to customer personal information in “certain markets” but no compromise of financial platforms or mobile‐money wallets, according to the TELCO. MTN has not disclosed the exact countries or the number of affected subscribers. Currently, MTN’s crisis team is working with external cybersecurity specialists; affected customers will be notified in line with GDPR‐style data‐breach protocols. The Ghana Data Protection Commission (DPC) would have launched its inquiry. However, Ghanaian regulators should demand transparency given past controversies around data sovereignty in the SIM registration exercises.
Ghana’s SIM registration was a tower of biometric babel. Between October 2021 and May 2023, Ghana mandated SIM re‐registration, compelling subscribers to link SIM cards to the national Ghana Card via fingerprint and facial scans. Critics flagged multiple flaws, but the authorities failed to listen: “When you sharpen your blade on another’s back, you dull your own edge.” There were a myriad of problems that were not exclusive to.
Incomplete biometric matching where fingerprint and facial data were “not reading properly,” failing 1:1 and 1:N verification checks against the National Identification Authority (NIA) database. The problem of private TELCOs, including MTN, collecting and storing biometric data locally and on backup servers outside Ghana, often in jurisdictions with weaker data‐protection laws, leading to potential cyberattacks. Lack of independent oversight and no third‐party audit or encryption‐at‐rest mandate, leaving raw biometric templates vulnerable to insider threats or server misconfiguration.
Biometric data (Fingerprints and Faces), if not managed properly, can be a time bomb. Biometric identifiers differ fundamentally from passwords, they are immutable. Once compromised, a fingerprint or facial template cannot be “reset.” The potential consequences include permanent identity theft, malicious actors can spoof authentication systems in banking, travel, health, or government services. Additionally, it could be employed in surveillance and profiling, cross‐linking leaked biometrics with CCTV‐AI networks, which can enable mass tracking without consent, including those who took these disastrous decisions.
It could be used in synthetic identity creation, where AI can blend real biometric traits with synthetic metadata, spawning untraceable “deep identities.” In Ghana’s context, with millions of SIMs tied to biometric templates, the risk is systemic; a single leak could cascade across financial, health, and social systems, creating “hybrid” personas that evade detection and undermine trust. Machine-learning tools can magnify the impact, generating “technology chimeras”, a mash-up of digital identities and systems, unstable, untrustworthy, and potentially far more dangerous than any one compromised component on its own.
There are several global examples of such attacks, India’s Aadhaar leaks in 2018. Over 1.1 billion residents’ fingerprints, iris scans, and demographics were exposed via insecure APIs and third-party portals, triggering the World Economic Forum to label it “the largest data breach in history”. The OPM breach in 2015, USA. Hackers stole the fingerprints of 5.6 million U.S. federal employees, information still used in background checks and travel clearance, raising espionage risk concerns. The Thought Green police data leak in 2024, India. About 500 GB of biometric police-applicant data (fingerprints, facial scans, tattoos) appeared for sale on Telegram, highlighting how leaks propagate in underground markets. These occurrences illustrate that no system, public or private, is immune. The common thread is inadequate encryption, lax oversight, and blurred jurisdictional controls.
Stakes for Ghana are more than just telecom fraud. Economic trust in fintech, mobile money underpins Ghana’s digital economy. A biometric breach could erode confidence in fintech services, stalling investment. Again, it has national security consequences; stolen biometrics can be weaponised for cross‐border identity fraud, financing of illicit networks, or deep-fake propaganda, especially when amplified by AI.
Charting a secure path forward, data‐localization must require all Ghanaian biometric data to reside on government-certified, on-shore servers only. There should not be any compromise on end-to-end encryption with zero-trust. TELCOs must encrypt biometric templates in transit and at rest, with strict key-management protocols. Regularly mandated independent biometric audits and annual third-party assessments of matching accuracy (liveliness checks) and penetration testing. The government insists on transparent breach notification and tightens the Data Protection Act (2012) to enforce rapid public disclosure and stiff penalties for non-compliance.
In conclusion, the MTN breach is a clarion call for Ghana to remediate long-standing biometric vulnerabilities inherited from rushed SIM-registration drives. As artificial-intelligence tools render deep forgeries ever more convincing, the window to fortify Ghana’s digital identity infrastructure is closing fast. Balancing security and privacy will demand bold policy moves, technological investments, and an informed public dialogue. The integrity of millions of Ghanaian identities and the trust underpinning the nation’s digital future hang in the balance. In an interconnected age, identity theft, deep-fake fraud, and biometric cloning do not discriminate by rank or privilege. The same code that secures a former minister and their allies’ records protects an informal trader’s savings. Listening to the populace and especially to those with technical expertise is not a concession of weakness but the only reliable path to durable, equitable security.
“The river you divert to harm your rival will dry up your fields.”
