- CybAfrique Newsletter
- Posts
- How to build a (hackable) digital ID system
How to build a (hackable) digital ID system
inside: the year of intracontinental fiber and headlines across African infosec
CybAfrique Media
February 14, 2026
CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.
HIGHLIGHTS
How to build a (hackable) digital ID system
If you wanted to build an ID system, you could build it yourself and figure out every database entry, but that is a lot of work. Instead, you can outsource it to a conglomerate specialising in biometric systems called IRIS Berhad.
All this talk about DPIs means you want your ID to be interoperable and decentralised, allowing different people to access it when needed, without becoming a single point of failure.
First, you get a server or ten. A server is essentially a computer. To be useful, you need a couple of programs on it. You need a program for managing the database, for handling web requests, and, more importantly, software to communicate with the world. Senegalese ID authorities utilised SmarterTools, a fitting name for its capabilities. SmarterTools was a suite of enterprise collaboration software that included SmarterMail (used for email and internal communication), SmarterTrack (used for help desk and customer service), and SmarterStats (used for web log analytics), among others.
On January 15, 2026, SmarterTools released a patch for a serious security vulnerability. The vulnerability allowed unauthenticated attackers to reset administrator passwords via a flawed password reset API. SmarterTools, being very smart, sent out a security update to everyone, asking them to update to the new build. Almost immediately, threat actors reverse-engineered the update to find exactly what had been patched, then began targeting systems that had yet to patch the "force-reset-password" vulnerability.
If, like Senegal, you were also running a national identity database on a system also running so-called SmarterTools, it would be very smart to update the software immediately. If you do not catch it, your vendor, IRIS Corporation Berhad, will. If the vendor does not catch it, then definitely, your national CERT will catch it, yes?
The Senegalese authorities did not catch it. The vendor was owed payment arrears and so might or might not have been on speaking terms with the authorities. And CERT Senegal is not fully functional, and even if it were, there’s not enough cross-integration to make you see if something like this is coming.
On January 19, 2026, Senegal suffered a breach of two critical servers at the Directorate of File Automation (DAF). Citing a possible system glitch, the authorities shut down the production of national identity cards. Green Blood Group, the threat actor responsible, responded by leaking an internal email from an IRIS executive and samples of 139 GB of stolen data. On February 5, 2026, the authority publicly acknowledged the cyberattack.
If a password is breached, you can always change it. Biometric data isn’t so. You cannot reset your fingerprints, rotate your iris scans, or issue a new face. Africa’s digital ID push leaves significant gaps. Infrastructural gaps, accessibility issues, including lapses in security and policy oversight.
Is 2026 the year of intra-continental fibre?
2026 has been dubbed the year of AI, the year of teeth, the year of sovereign clouds, the year of this and that… It might also be the year of intra-continental cables.
This week saw three major fibre developments.
Nigeria and Equatorial Guinea signed a memorandum to deploy subsea fibre-optic infrastructure across the region. Currently, the only cable connecting both countries is the Europe (ACE) cable system that connects Guinea-Bissau to the wider West African region, including hubs that connect to Nigeria. In East Africa, the Subcable Group Paratus is launching a new terrestrial fibre route connecting Mombasa on the Kenyan coast to Goma in the eastern Democratic Republic of Congo (DRC).
In Central Africa, Chad is urging operators to fast-track a fibre link with Cameroon. This is perhaps the most important of these connections. Chad is entirely landlocked, which excludes it entirely from subsea cable landfalls in coastal cities.
Beyond government initiatives, telcos such as Ethio Telecom, Djibouti Telecom, and Sudatel Group continue to strengthen connections between North and East Africa.
Overall, we might be seeing a drive for cross-border interconnection between countries, both landlocked and non-landlocked. These connections, in theory, will also boost collective resilience. When cable breaks cause major shutdowns in a country or group of countries, cross-connections provide alternative routes via countries that still have a working cable.
This comes with its own challenges. Terrestrial fibres are very hard to keep safe.
FEATURE
HEADLINE
Egypt refers int'l cybercrime gang behind top phishing platforms to criminal prosecution
Mozambique launches a program that allows individuals to report personal breaches
South Sudan reopens ties with Huawei years after spying accusations
Somalia approves regulatory framework to strengthen public data protection
Ghana’s Cyber Security Authority to open four zonal offices to fight cybercrime
Egypt’s NCW highlights women’s role in cybersecurity at FDC summit 2026 preparatory session
Uganda rolls out free cyber protection for government Offices
Reply