Why are the telcos always under attack?

Inside: Kenya's data compensations

Author

CybAfrique Media
January 31, 2026

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

HIGHLIGHTS

Why are the telcos always under attack?

Telcos are really complicated to build, as we have said twice now. They are even harder to secure. Forget, for a moment, the money problems, infrastructure plundering, and marketing headaches. Why do telcos remain under constant cyberattack?

This week, Nigerian police reportedly busted a ₦7.7bn ($5.5M) telecom hack ring that infiltrated the core billing systems of a major provider to "mint" airtime. At the same time, Algérie is reeling from Dark 07x breach involving the exfiltration of gigabytes of internal network maps and sensitive government employee data. They are not the only ones. In the past year alone, we’ve counted at least 6 major telco breaches and attacks (Cell C (South Africa), MTN Ghana, Telecom Namibia, Orange (Maghreb Region), Safaricom (Kenya), and now Algérie Télécom.

We are not the only ones noticing this pattern. According to the Netscout 2025 Threat Intelligence Report, the telecom sector is one of the most targeted sectors in Africa, largely because it represents the continent's most critical single point of failure.

The most obvious reason is that telcos have become good targets, especially as they evolve into super-apps. A SIM card maintains access to your bank account, is linked to your biometric data, and has real-time access to your location. Telcos are also ISP providers, which makes them perfect as man-in-the-middle vectors. Oh, and some telcos, like MTN and Safaricom, run banks the size of national economies as a side-hustle.

The technicalities of these attacks, however, are much more complicated.

For example, many breaches and interceptions are often caused or exacerbated by the Signaling System No. 7 (SS7) system. SS7 is a foundational protocol used by global telecom networks to route calls and SMS, which was built without security. Because the system relies on an outdated, trust-based model from the 1970s, it lacks proper authentication. If you can get onto the "signaling" layer of a network—which hackers increasingly can—you can spoof an SMS verification code (2FA) or track a user's location without them ever knowing.

The talk about upgrading infrastructure is critical here. SS7 is still the backbone of 2G and 3G infrastructure across the continent. This is important because, despite the glossy headlines about smartphone expansion and 5G rollouts, millions of users still depend on 2G/3G for their calls and USSD menus.

Then there are the DDoS attacks. Because Africa has a large second-hand electronics market, researchers have found that unpatched smart TVs, cheap "white-label" smartphones, and legacy routers are being rounded up into massive "local" botnets. Unlike global botnets, these local ones (often derived from Mirai variants) attack from inside the national network, making them much harder to filter out.

An easy way to stop or prevent DDoS attacks is to route traffic through scrubbing centers—specialized facilities that filter out the "junk" traffic. But scrubbing centers in Africa remain scarce, far fewer even than the continent’s already limited number of data centers.

This analysis seems a bit unfair. It postures Africa’s security situation as a socioeconomic and infrastructural problem, but when you really think about it, isn’t everything, in the end, a socioeconomic and infrastructural problem? 

Kenya’s data paycheck

While Wednesday marked Data Protection Day, Monday was when Kenya’s Office of the Data Protection Commissioner (ODPC) issued 184 compensation orders to Kenyans whose personal data was mishandled and weaponised for commercial exploitation or digital debt shaming. The awards ranged from KES 100,000 to KES 500,000 ($700 - $3,500), covering cases in which digital lenders harassed borrowers' contacts and in which entertainment joints used patrons' photos on billboards without consent.

The AI-written LinkedIn posts would read something like “while some were celebrating the milestone, the Kenyan ODPC was proving it has teeth.”

Data compensations are not new. Globally, the concept of "material and non-material damage" (the legal term for "you lost money" vs. "you are stressed out") was popularized by the EU's GDPR Article 82. Historically, data protection was a matter of administrative fines where the government gets the fine because someone broke a rule. The philosophical shift toward compensation treats personal data as private property. That, if you abuse my data, you have broken a rule as well as damaged my intangible assets and thus owe me a check for repairs.

We’ve written before that most of Africa’s drive for data laws and regulation is a means to exert political influence in the digital space and generate revenue for the state(or personal?) coffers. It will not hurt to share some of that revenue with the actual people whose data was abused. We’re keeping our fingers crossed that as the continent moves further with data regulations and enforcements, compensations like this would become staples, too.

FEATURES

HEADLINES

ACROSS THE WORLD

See you next week.

Reply

or to participate.