Senegal Confirms Cyberattack on Agency Managing National ID and Biometric Data

The Senegal cyberattack on the Directorate of File Automation underscores how quickly critical public services can be crippled when digital identity platforms are targeted. While the government maintains that personal data remains intact, the ransomware group’s claim of 139 TB stolen—including biometric templates and immigration records—creates a credibility gap that erodes citizen trust. The incident also illustrates the growing sophistication of threat actors in Africa, where ransomware gangs now operate with the same speed and confidence seen in more mature markets.

Beyond the immediate service disruption, the breach raises profound privacy and fraud concerns. Biometric data, once compromised, can be repurposed for identity theft, unauthorized surveillance, or black‑mail, making remediation far more complex than a typical data breach. The involvement of IRIS Corporation, a foreign vendor, highlights the security blind spots that emerge when governments outsource core identity infrastructure without robust oversight. Such partnerships can blur accountability, allowing attackers to exploit third‑party access points that may lack the same security standards as sovereign systems.

In response, Senegal must accelerate the creation of a centralized cybersecurity authority capable of monitoring, detecting, and responding to threats across all government agencies. Strengthening vendor management protocols, mandating regular security audits, and investing in insider‑threat training are essential steps. As African nations continue digitizing public services, the Senegal case serves as a cautionary tale: without proactive governance and resilient cyber defenses, the cost of a breach extends far beyond operational downtime, threatening national security and public confidence.