Sénégal faces rising cyber threats to public finances

The latest cyberattack targeting the Senegalese Treasury has intensified concerns in Dakar about the country’s digital security posture. Over the past six months, three key government agencies have fallen victim to breaches, thrusting cybersafety to the forefront of national discussions on digital sovereignty. This incident coincides with the state’s accelerated push toward digitalizing public services, inadvertently widening the attack surface for malicious actors. The frequency of these intrusions raises serious questions about the adequacy of existing protective measures for critical infrastructure.

The breach at the Directorate General of Treasury and Public Accounting follows two other high-profile incidents. In October, the tax portal managed by the Directorate General of Taxes and Land Registry was compromised. Earlier, in January, a cyberattack disrupted the national ID card production system, impacting a service that directly interacts with citizens daily. This troubling pattern—spanning taxation, civil registry, and public finance—highlights vulnerabilities at the very core of Senegal’s administrative machinery.

Rapid digital transformation outpaces security measures

Like many African nations modernizing their governance, Senegal has rolled out numerous digital initiatives without always coupling them with equally robust security frameworks. While the shift toward digital public services promises efficiency and transparency, it also demands substantial investments in data protection, real-time monitoring, and staff training. The gap between the pace of digital adoption and the strengthening of defenses has created a critical vulnerability—one that cybercriminals are increasingly exploiting.

Attackers typically pursue three primary objectives: ransom demands via ransomware, theft of sensitive data for resale, or symbolic disruption of state institutions. In the case of the Treasury, the stakes are especially high. The agency manages the state’s financial flows, and a prolonged breach could disrupt public expenditure chains, local government account tracking, and domestic debt management. Authorities have yet to disclose details about the intrusion’s nature or the potential scale of data exfiltration.

Africa’s growing appeal as a cybercrime hotspot

Senegal is far from alone in facing this escalating threat. Across Africa, countries pursuing ambitious e-government programs have experienced large-scale cyber offensives in recent years. The surge in internet connectivity, the rapid adoption of mobile payments, and the migration of public records to cloud platforms have created an environment ripe for exploitation by cybercriminals, whether operating locally or abroad. The cost-benefit ratio remains overwhelmingly favorable to attackers: potential ransoms are lucrative, while the likelihood of transnational prosecution remains minimal.

Dakar has established institutional safeguards, including the Personal Data Protection Commission (CDP) and cybersecurity initiatives led by the State IT Agency (ADIE). However, operational coordination between agencies, incident response capabilities, and cybersecurity awareness among public servants remain works in progress. The wave of attacks may force a more stringent national strategy, incorporating regular audits, simulated cyber drills, and stricter breach notification requirements.

Political urgency takes center stage

For the government, the stakes are now political as well. Public trust in digitalized public services hinges on the assurance that sensitive data—be it financial, biometric, or fiscal—is adequately safeguarded. Three major breaches in half a year have eroded this confidence and weakened the case for advancing large-scale digital projects. Pressure is also mounting on private contractors hired by the state, whose selection often prioritizes cost over the resilience of their technical solutions.

Beyond Senegal, these cascading attacks underscore a broader truth: African digital sovereignty cannot be reduced to local data hosting or the development of domestic applications alone. It demands tangible capabilities to detect, contain, and neutralize increasingly sophisticated intrusions.