A recent cyberattack targeting the Senegalese Public Treasury underscores a growing concern for Dakar. Within a mere six months, three vital central government administrations have experienced system compromises, pushing cybersecurity to the forefront of discussions surrounding Senegal’s digital sovereignty. This latest incident occurs as the state rapidly digitizes its services, inherently broadening the potential attack surface for malicious actors. The close succession of these intrusions raises serious questions about the resilience of protective measures implemented across critical national infrastructure.
The assault on the Directorate General of the Treasury and Public Accounting follows two significant prior incidents. Last October, the online portal for the Directorate General of Taxes and Domains was targeted. Then, in January, the department responsible for producing national identity cards suffered an intrusion, disrupting an administrative service that citizens rely on daily. This pattern paints a troubling picture, affecting core governmental functions: taxation, civil registry, and public finance.
Accelerated digitalization, lagging defenses
Like many African nations committed to modernizing their public administrations, Senegal has launched numerous digital initiatives without always fortifying these deployments with commensurate security architectures. While the digital transformation of public services promises greater efficiency and transparency, it necessitates substantial parallel investments in data protection, continuous oversight, and staff training. The disparity between the pace of digitalization and the strengthening of cyber defenses is precisely the vulnerability that cybercriminal groups are exploiting.
Attackers typically pursue three objectives: extortion through ransomware, exfiltration of sensitive data for resale, or the symbolic destabilization of state institutions. In the case of the Public Treasury, which manages the state’s financial flows, the stakes extend far beyond a mere service interruption. A prolonged compromise could disrupt the execution chain of public expenditures, the monitoring of local government accounts, or even the management of domestic debt. Senegalese authorities have not yet specified the exact nature of the intrusion or the extent of any potentially exfiltrated data.
A continent becomes a prime target
Senegal’s situation is not unique. Several African countries engaged in ambitious e-government programs have faced large-scale cyber offensives over the past two years. The expansion of internet connectivity, the widespread adoption of mobile payments, and the gradual migration of public records to the cloud create an especially attractive environment for cybercriminals, whether they operate domestically or internationally. The cost-benefit ratio for these attacks remains favorable to assailants: potential ransoms are substantial, while the likelihood of cross-border judicial pursuit remains low.
Despite this, Dakar possesses a theoretically structured institutional framework, including the Personal Data Protection Commission (CDP) and initiatives led by the State IT Agency (ADIE). However, operational coordination among administrations, incident response capabilities, and a robust cybersecurity culture among public officials remain ongoing challenges. The increasing frequency of attacks could prompt the adoption of a more stringent national strategy, incorporating regular audits, simulation exercises, and enhanced notification obligations.
Anticipated policy response
For the government, the issue is also political. Citizen trust in digitized public services hinges on the assurance that their fiscal, biometric, and financial data are adequately protected. Three incidents in six months erode this trust and weaken arguments for continuing major digital projects. Pressure is also expected to mount on technical service providers engaged by the state, where selection criteria sometimes prioritize cost over the robustness of proposed solutions.
Beyond Senegal, these escalating attacks serve as a potent reminder that African digital sovereignty is not solely about local data hosting or the development of national applications. It fundamentally requires a genuine capacity to detect, contain, and neutralize increasingly sophisticated intrusions.
