Senegal’s state agency in charge of managing citizens’ biometric and identity information has suffered a major cyberattack, causing significant disruption and prompting concerns over national data security.

The Directorate of File Automation (DAF) — the government body responsible for issuing national identity cards, passports and storing critical biometric records — was targeted by a sophisticated hacking operation that forced the agency to shut down its systems and halt production for several days.

According to a dark web post by a hacker group calling itself “The Green Blood Group,” the attackers claim to have stolen an enormous trove of data — 139 terabytes — from DAF’s networks. The group says it has added the agency, along with at least one private company called Ecobat, to its list of victims on the group’s illicit portal.

What’s at Stake?

DAF plays a crucial role in Senegal’s administrative infrastructure. The agency holds highly sensitive information, including biometric identifiers and personal data tied to national identity cards and international travel documents. A breach of this scale presents serious implications for privacy, national security, and trust in public systems.

While the hackers have publicly made their claims, official authorities in Senegal have not yet confirmed the full scope of the breach or verified the volume of data taken. There has been no detailed public statement about how many individuals might be affected or whether citizen records were specifically exposed.

Involvement of International Partners

The cyberattack reportedly occurred amid an ongoing dispute between the Senegalese government and Malaysia’s Iris Corporation, the firm contracted to produce the country’s digital National ID cards (CNI). The disagreement centers on unpaid invoices, and sources familiar with the situation say that once the breach was detected, Iris requested that DAF take all systems offline as it prepared to send its technical team to Dakar to assist.

This development has led some observers to question whether there could be a connection between the commercial dispute and the cyberattack — though no official link has been established. Senegalese authorities have so far refrained from attributing blame or releasing a comprehensive assessment of the incident.

A Broader Pattern of Cyber Incidents

The reported attack on DAF adds to a series of cyber intrusions affecting sensitive public institutions in Senegal. In recent months, the General Directorate of Taxes and Domains also experienced a cyberattack, further underscoring a growing vulnerability in the country’s digital infrastructure and intensifying calls for stronger cybersecurity defenses.

As technicians continue efforts to restore services, citizens and officials alike are awaiting an official response from the government, with many urging transparency about the extent of the breach and protective measures moving forward.