In this week’s report, we look at the latest information security developments in North-West Africa. As hackers target Senegal’s tax authority, Algeria is reforming its digital defenses. The twin developments underline how Africa’s cybersecurity landscape is evolving under pressure.

October starts with a major incident in West Africa. Senegal’s General Directorate of Taxes and Estates (DGID) fell victim to a cyberattack. The events are unfolding in real time, as updates are coming on a daily basis. Some details vary in different reports, yet all reports are agreeing that it’s a big hit to the Senegalese government entity.

Initial reports came on the 2nd of October, claiming that GDIG, a Senegalese body under the Ministry of Finance and Budget responsible for managing state assets, administering land ownership, and tax collection, was breached by a ransomware group.

The attackers used a double extortion tactic, adding the Directorate’s name to their leak site and offering the stolen data for sale. In this type of attack, criminals encrypt an organization’s data and exfiltrate it, giving victims two grim options: pay the ransom to regain access and hope the stolen files are deleted, or gamble on having the data sold or publicly released to others.

To pressure the GDIG, criminals published a list of stolen data. According to claims, they were able to exfiltrate the following records:

• Financial & tax information: tax reports, personal and business income.
• Technical information: network topology and KeePass, an open-source password managing service, with a full set of used passwords.
• Legal & administrative information: official documents and forms with signs.

Criminals initially claimed to exfiltrate around 1 TB of data. Exposed records could be used for identity theft, tax scams, phishing, and document forgery. A combination of signatures, stamps, and detailed financial records is quite threatening and could lead to a long-term consequence.

As the events were unfolding, details on the attack became more and more contradictory. Clement Domingo, an African information security observer, reported that there are doubts that criminals possess all claimed records. The researcher analyzed the tree structure of the published data sample and didn’t find any indications of compromise for network infrastructure, financial records, and KeePass. He also hinted that the amount of requested ransom is strange, as criminals raised it from $250,000 to $10 million.

There were other suspicious signs as well. The group backtracked on its claims about the amount of data stolen—initially saying it had taken 1 terabyte of records, then later reducing that figure to just 24 gigabytes. They also removed the previously shared sample that included a file tree. While the tax platform remained offline, the attackers raised the stakes, claiming they could decrypt the data and restore services within 12 hours of receiving the ransom.

This incident could turn out to be one of the most significant data breaches in Africa in 2025—comparable to the compromise of Morocco’s National Security Fund—or it could turn out to be an elaborate bluff. Only time will reveal the true scale of the attack.

To harness the growing number of cyberattacks in the African region, Algeria continues to develop laws on data protection. In July 2025, Law No. 25-11 was officially enacted, providing a supplement to Law No. 18-07 on the protection of personal data.

The new law strengthens the legal framework and provides and clarifies several key definitions, and it brings the Algerian legal field closer to international standards of regulations. Law No. 25-11 defines such terms as "biometric data," "profiling," "personal data breach," and several others. The law also provides numerous additions to data protection.

From July 2025, data controllers must appoint Data Protection Officers (DPO) with required skills and knowledge in the fields of data protection practices and laws. A single DPO may be appointed for several organizations, considering their size and structure. The officer’s responsibilities include monitoring compliance with relevant legal regulations, assessment of data processing practices, and acting as the contact point with the National Authority.

Another important change is the requirement to register all data processing activities. This record should include, at a minimum, the categories of information collected, the legal basis for processing that data, and a description of the technical and organizational security measures in place.

Data controllers must also log each processing operation, noting the date and time, as well as the identity of the person who accessed the records. A copy of this log must be kept by both the data controller and the data processor. The log should be continuously updated and made available to the National Authority for the Protection of Personal Data when needed to demonstrate compliance with legal requirements.

There are other additions in Law 25-11. Organizations must conduct a Data Protection Impact Assessment (DPIA) prior to any data processing that could likely present a high risk. On top of that, the law specifies that data controllers and processors must implement adequate technical and organizational measures to prevent any type of information misuse or illegal processing. In case of a data breach, companies must inform the National Authority no later than 5 days after becoming aware of it. The report should include the nature of a data breach, possible consequences, and measures taken to mitigate it.

Although Law No. 25-11 builds on the existing Law No. 18-07, it is a major legal act for data protection practices in Algeria. By introducing DPOs, clearer reporting procedures, and stricter processing requirements, the law marks an important step toward greater information security maturity for Algerian organizations.

As governments around the world continue to strengthen data protection laws, organizations face increasing pressure to meet stricter compliance requirements. Regulators are taking decisive action to ensure that companies across all industries follow proper data protection practices. At the same time, many businesses recognize that aligning with international standards not only helps them stay compliant but also builds credibility and opens opportunities with global partners.

The SearchInform team has developed Risk Monitor, a next-generation Data Loss Prevention (DLP) system to address these needs. It combines data classification with data leak prevention, both of which are key components of data protection regulations worldwide. The solution goes beyond traditional DLP capabilities by offering powerful investigation tools, streamlined compliance reporting, and protection against business risks such as corporate fraud and document forgery.