The recent Senegal cyberattack on the Directorate of File Automation (DAF) has done more than disrupt government services. It has exposed how vulnerable the country’s most sensitive data systems really are, and why cybersecurity can no longer be treated as a technical issue handled quietly in the background.
DAF, the government agency responsible for managing national ID cards, passports, biometric records, and electoral data, was forced to temporarily shut down operations after detecting a cyber incident.
For millions of Senegalese citizens, this means delays in accessing essential identity services. For the country, it raises far bigger concerns about data security and national trust.
Senegal Cyberattack Brings Identity Services to a Standstill
In an official public notice, DAF confirmed that the production of national identity cards had been suspended following the cyberattack. Authorities assured citizens that personal data had not been compromised and that systems were being restored.
However, as days passed and the DAF website remained offline, doubts began to grow. A Senegal cyberattack affecting such a critical agency is not something that can be brushed off quickly, especially when biometric and identity data are involved.
Hackers Claim Theft of Massive Biometric Data
The situation escalated when a ransomware group calling itself The Green Blood Group claimed responsibility for the attack. The group says it stole 139 terabytes of data, including citizen records, biometric information, and immigration documents. To back up its claims, the hackers released data samples on the dark web.
They also shared an internal email from IRIS Corporation Berhad, a Malaysian company working with Senegal on its digital national ID system. In the email, a senior IRIS executive warned that two DAF servers had been breached and that card personalization data may have been accessed. Emergency steps were taken, including cutting network connections and shutting access to external offices.
Even if authorities insist that data integrity remains intact, the scale of the alleged breach makes the Senegal cyberattack impossible to ignore.
Implications of the Senegal Cyberattack
DAF is not just another government office. It manages the digital identities of Senegalese citizens. Any compromise—real or suspected—creates long-term risks, from identity fraud to misuse of biometric data.
What makes this incident more worrying is that it is not the first major breach. Just months ago, Senegal’s tax authority also suffered a cyberattack. Together, these incidents point to a larger problem: critical systems are being targeted, and attackers are finding ways in.
Cybercrime groups are no longer experimenting in Africa. They are operating with confidence, speed, and clear intent. The Green Blood Group, which appeared only recently, has reportedly targeted just two countries so far—Senegal and Egypt. That alone should be taken seriously.
Disputes, Outsourcing, and Cybersecurity Blind Spots
The cyberattack also comes during a payment dispute between the Senegalese government and IRIS Corporation. While no official link has been confirmed, the situation highlights a key issue: when governments rely heavily on third-party vendors, cybersecurity responsibility can become blurred.
The lesson from this Senegal cyberattack is simple and urgent. Senegal needs a dedicated National Cybersecurity Agency, along with a central team to monitor, investigate, and respond to cyber incidents across government institutions.
Cyberattacks in Africa are no longer rare or unexpected. They are happening regularly, and they are hitting the most sensitive systems. Alongside better technology, organizations must focus on insider threats, staff awareness, and leadership accountability.
If sensitive data from this attack is eventually leaked, the damage will be permanent. Senegal still has time to act—but only if this warning is taken seriously.
