A cyberattack on Kenya’s Micro and Small Enterprise Authority (MSEA) has compromised sensitive government and business data, with much of it now reportedly available for sale on the dark web. The breach has raised alarms about the cybersecurity vulnerabilities within the country’s critical public institutions.
Hackers gained access to a trove of confidential information, including employee records, government communications, financial statements, and business registration data.
The stolen data has been listed on dark web forums for $100,000, with some files already downloaded, sparking concerns over potential identity theft, fraud, and corporate espionage.
The attackers are also believed to have infiltrated NLSBanking.com, a platform serving over 20 financial institutions across Asia and Africa, including prominent Kenyan banks such as the National Bank of Kenya, NIC Bank, and Sidian Bank.
Preliminary investigations suggest the hackers exploited outdated software and weak access controls within MSEA’s IT systems. Cybersecurity experts have pointed to a failure to implement critical security patches, leaving the authority vulnerable to attack.
“This breach underscores the urgent need for government agencies to prioritize cybersecurity,” said John Muriuki, a Nairobi-based cybersecurity analyst. “With the increasing digitization of public services, these institutions are becoming prime targets for cybercriminals.”
The MSEA is a cornerstone of Kenya’s economy, supporting millions of micro and small enterprises with funding, business registration, and capacity-building programs. The exposure of this data could have far-reaching consequences for thousands of businesses that rely on the authority for critical services.
Kenyan authorities have launched an investigation into the breach, while cybersecurity experts are urging the government to implement stronger security protocols to prevent future attacks.
As digital transformation accelerates in Kenya, the incident serves as a stark reminder of the risks that come with insufficient cybersecurity measures.
“This is a wake-up call,” Muriuki added. “If Kenya’s government institutions don’t act swiftly, we could see more attacks of this magnitude in the near future.”