Namibia is affected by a big data breach, including contractual records and personal data of high-ranking officials, while neighboring Kenya enhances its own Data Protection Act.

On the 11^th of December, Telecom Namibia had fallen a victim of a cyberattack. As a result of this attack, 626 GB of data were stolen. Reportedly, malicious actors stole more than 492 000 files, which contained sensitive data of individuals, high-ranking officials, ministries, private businesses, and state-owned enterprises.

On the 16^th of December, the Communications Regulatory Authority of Namibia (CRAN) confirmed an attack against Telecom Namibia but didn’t provide details of the incident. CRAN stressed the need for robust cybersecurity measures to protect sensitive data and stable functioning of critical infrastructure.

According to preliminary information, the leaked information contained such sensitive data as:

• IDs
• Addresses
• Banking details
• Contractual records
• Telecom’s internal budget reports between 2021 and 2024

The personal data of several prominent persons, including Namibia Investment Promotion and Development Board CEO Nangula Uaandja, Speaker of the National Assembly Prof. Peter Katjavivi, Minister of Health and Social Services Dr. Kalumbi Shangula, President Nangolo Mbumba, former President Hifikepunye Pohamba, and others, has been leaked.

This is one of the largest known data leaks in the history of Namibia. Leaked data could potentially expose citizens to further risks, like identity theft, financial fraud, and phishing scams. At this moment, Namibia’s Data Protection Act has not yet been enforced, thus limiting the scope of customers legal tools under statutory law. Affected persons could request compensation for damage due to negligence in safeguarding data.

Meanwhile, Kenya, Namibia’s neighbor, bolsters its data protection laws. In the beginning of December, the Office of the Data Protection Commissioner, along with the Ministry of Information Communication and Digital Economy, published a new draft of data protection rules with stricter regulations on data controllers. Kenya’s Data Protection Act was signed and came into force in 2019.

Recently published, the draft Data Protection Regulations and the draft Data Sharing Code are specifying the procedures for audits conducted by the Commissioner and the process for entities seeking accreditation to perform data protection audits. The proposed rules would become a framework for future data protection audits, ensuring the quality of audits and compliance with legal standards during such reviews.

According to the currently active Data Protection Act, the data commissioner can initiate a compliance audit due to several reasons, such as receiving complaints from individuals, as part of a broader investigation or enforcement action, or based on inner risk assessment and other information about potential issues related to data processing. The Data Protection Commissioner could also conduct an investigation as a result of perceived or real privacy risk, data breach notification, a petition, or on their own initiative. As a result of such audit the Data Protection Commissioner can provide recommendations for improvement or issue a legal enforcement or financial fine.

With such changes, Kenya made a further step to safer and stricter data processing, following the path of its neighbors. Rwanda and Cape Verde also made changes in data protection laws in 2022 and 2021, respectively. Highly likely, data protection will continue to be a heated theme in the upcoming years, and governments will continue to tighten legal frameworks for data protection.