Rogue Kenya Power staff created and gave rights to non-employees to access company systems to manipulate bills and engineer fraudulent tokens that led to the loss of hundreds of millions of shillings through a well-orchestrated scandal. The scam lasted a whole year, the Nation has learnt.
By the time the fraud was detected, thousands of unsuspecting Kenyans had paid electricity bills that were up to five times what they had consumed. Many others had bought tokens through a thriving black market created by rogue staff that almost crippled the power distributor.
Kenya Power has never recovered from this well-calculated scheme that ran through the whole of 2018, and the staff who orchestrated the fraud are still free after being suspended or fired from work. To date, it is not clear how much money was lost, but insiders believe it could run into almost Ksh1 billion ($10 million), if the refunds the affected customers were to be paid are factored in.
Today, the Nation brings you the whole story of one of Kenya’s most brazen fraud schemes that began from a deliberate move not to install a verification system when the power firm was switching to a new payment platform in 2017. The fraudsters targeted both the prepaid and post-paid systems, which are both linked to the Integrated Customer Management System (inCMS) installed in 2017.
Since 1996, Kenya Power had been using an Integrated Customer Service (ICS) created by the Spanish company Indra Kenya. The same firm was contracted in 2017 to create a new system, and came up with inCMS.
The new system had a module known as a One Time Charge (OTC) that could debit and carry forward money owed by a customer before they pay for the purpose of reconciliation of accounts, making it easy for the company’s accounting department to calculate revenues.
For example, if a customer’s account was due with Ksh10,000 ($100), the OTC module would automatically debit Ksh10,000 and then carry the balance forward so that once the customer paid the money owed would automatically drop to zero.
Officers from the power company saw a loophole in the system and started creating fake OTC charges by overcharging or undercharging customers through a computer linked to the system from Kisii, and then approaching the same customers for negotiations.
An investigation report by the Directorate of Criminal Investigations (DCI), which has been presented to the Director of Public Prosecutions (DPP), notes the scheme was started by a Kenya Power officer who was based at the ICT department.
“He created a user known as Edgar Odhiambo Ojienda, who was not a Kenya Power staff in the active directory,” says the report. “Mr Ojienda was an employee of Belken Agencies Masters, which was contracted by Kenya Power between 2014 and 2017 to design and maintain power lines.”
Mr Ojienda then recruited several brokers who represented several regions, and the only region the cartel was unable to infiltrate was the Coast.
Ojienda covered South Nyanza and the Rift Valley while Mr Gordon Okwach, who CCTV identified as a commoner around Stima Plaza in Parklands, covered Nairobi.
The Western region was covered by Ms Christabel Akech, who also recruited another person, only identified so far as Judith. Most of the customers who benefited from the scheme identified Mr Ojienda as having helped them with their bills.
In order to make their scheme work, the fraudsters identified customers who usually got high bills and paid frequently and then over-billed them.
When the customers went to Kenya Power offices to complain, they were introduced to brokers who were usually lurking around banking halls.
The brokers then offered to help deal with the bills for a fee. Once the customer paid, the information was relayed to Mr Ojienda, who had been given overriding access to the system, and he immediately reduced the bill to zero. The money, however, went into the pockets of the fraudsters and employees who were part of the scheme.
“The scenario was duplicated over and over again, especially to large power consumers like schools, hotels and factories. Negotiators were sent to them for talks on how to lower their power bills,” says the DCI.
“At some point Mr Ojienda fraudulently rebilled an account (DM Concrete) Ksh3.6 million ($36,000) at a cost of Ksh1.2 million ($12,000) kickback.”
The DCI report is the result of an eight-month investigation, which has revealed that Mr Ojienda alone orchestrated a direct loss of Ksh58 million ($580,000) to Kenya Power in 2018.
Bombarded with questions on why power bills had risen astronomically, Kenya Power at some point claimed that the inflated bills were as a result of migration to the Integrated Customer Management System and the backdating of bills in order to recover an outstanding Ksh10.1 billion ($101 million) owed by customers.
The inflation of bills, they argued, was necessary because it did not want to raise power charges in 2017 since it was an election year and it had to recover the money that had caused a huge hole in their financial statements.
A separate syndicate attacked the prepaid system in a scheme that was also orchestrated by Kenya Power’s IT staff, including management, by not installing a token validation system.
The power distributor has a system known as RADIS that is domiciled at its main server, called EVGE. Once customers pay for tokens through mobile money, the information is sent to RADIS for verification before the token is sent back to the customer as a text message.
In order for a token to be generated, RADIS has to receive the customer’s name, meter number, amount paid, and the mobile money transaction reference number.
“Fraudsters knew that Kenya Power did not have a validator to know if it was receiving genuine transactions from M-Pesa. This was in case a customer complained that their tokens had not been generated through 888880,” the report says.
The code 888880 is the paybill number that prepaid customers use to pay via M-Pesa.
“There was a failure to create a validator and this was a design to create a loophole for stealing,” says the DCI. “Rogue individuals altered genuine M-Pesa reference numbers by replacing the last digit and consequently generating irregular tokens and selling the same.”
At the heart of the scheme, DCI says, was a programme developer who worked under ICT acting general manager at Kenya Power. The mastermind of the scam, detectives believe, was a Mr Albert Komen, who was in 2017 identified by the Banking Fraud Unit as one of the leading online fraudsters in Kenya.
Mr Komen is currently in court, with other suspects, facing charges of orchestrating the loss of Ksh3.9 billion ($39 million) by the Kenya Revenue Authority (KRA).
He is also part of a gang linked to American jailbird Larry Peckham II that attempted to hack the Independent Electoral and Boundaries Commission (IEBC) before the 2017 elections.
After generating the fraudulent tokens, Mr Komen sent out brokers disguised as Kenya Power staff to look for unsuspecting Kenyans who wanted to buy cheap electricity.
A Ksh1,000 ($10) token, for example, could be bought at Ksh500 ($5). The hackers were at some point so brazen that they openly sold tokens on social media.
The second way cash was lost on the prepaid system was by replacing tokens of faulty metres that did not exist. Fake employees were created and given rights to search for customers whose meters had been made to intentionally reject tokens. Once identified, the customers were made to negotiate for the tokens at a lower price.
More than 2,000 customers benefited from the scam.