Recent security incidents in Senegal indicate that the biometric data of a significant portion of the adult population has been exposed to unauthorized parties. On January 19, a ransomware group identifying itself as "The Green Blood Group" gained unauthorized access to two servers at the Directorate of File Automation (DAF). This government agency manages passports, national ID cards, and biometric data for the nation's approximately 20 million residents. Following the intrusion, the group announced on the dark web that it had exfiltrated biometric data and immigration records.
While the immediate risk to Senegalese citizens and businesses is substantial, industry experts suggest the incident points to systemic challenges. Aboubacar Yacouba Mai Birni, Chief Operations Officer (COO) at the Africa Cybersecurity Resource Center (ACRC), notes that rather than viewing this as a failure unique to Senegal, it reflects a broader regional challenge where "digital ambition has outpaced cybersecurity maturity."
Shortly after the initial data exposure, reports surfaced that Sénégal Numérique SA, an organization central to managing the state's digital infrastructure, also experienced a security incident. Local media, including L'Observateur, have speculated on whether the timing suggests a coordinated campaign targeting state infrastructure.
Threat Actor Profile and Technical Analysis
Senegal's national biometric ID system, implemented by Malaysian firm IRIS Corporation Berhad beginning in 2016, holds records for millions of citizens. The Green Blood Group, a relatively new threat actor group previously observed impacting organizations in Colombia and India, targeted this infrastructure in mid-January. Researchers at Foresiet characterize the group as technically capable, utilizing a Golang-based encryption tool and a double-extortion model.
The incident disrupted DAF operations for at least five days. Correspondence including IRIS employee Quik Saw Choo to the Ministry of Interior and Public Security suggests this disruption may have been partially due and defensive containment measures. The email confirmed that two critical servers were compromised: the domain controller, which enable lateral movement across the network, and a "Perso" server, likely hosting the database of personal citizen information. Despite containment efforts, the threat actors maintained sufficient access to exfiltrate internal communications alongside the database.
Analysis of Exposed Data
On February 4, analysts identified a leak site attributed to the Green Blood Group, which claimed possession of 139TB of data. However, a ransom note addressed to the DAF referenced 139GB, suggesting a possible typographic error in the public claim. Cybersecurity researcher Clement Domingo analyzed the exposed samples and confirmed the presence of authentic birth records and national ID card data.
The DAF publicly acknowledged the incident on February 5, announcing a temporary suspension of new national ID card production. In their statement, the agency assured the public that the integrity of the data remained intact. However, observers noted that the statement did not address the confidentiality of the data, which had already been compromised.
According to Yacouba Mai Birni, the implications extend beyond immediate fraud risks. "The most critical risk is systemic mistrust," he explains. "If citizens lose confidence in the state's ability to protect their digital identity, they may resist future digital initiatives, which would undermine financial inclusion, e-government, and economic digitalization efforts across the country."
Strengthening Biometric Systems
Yacouba Mai Birni observes that the continent does not lack digital ambition but rather the cybersecurity maturity to support it. While the Senegalese system was designed for legitimate state objectives, the incident highlights a common structural imbalance. Governments frequently invest in data collection technologies without a proportional investment in security-by-design, long-term governance, and independent oversight. This results in states accumulating sensitive data faster than they build the institutional capacity to protect it.
Constructive models exist within the region. Yacouba Mai Birni points to Mauritius, which established data protection authorities with enforcement capacity early on; Ghana, which integrated its biometric ID system with legal accountability and consistent security investment; and Morocco, which emphasizes state-level coordination for critical infrastructure defense.
This incident presents an opportunity for governments to reassess their security posture. "Handled correctly, this moment could mark a turning point toward more resilient and trustworthy digital states," Yacouba Mai Birni says. "Handled poorly, it risks reinforcing digital fear and dependency."