Hackers recently breached several government websites, including State House, the Directorate of Criminal Investigations (DCI), and the Immigration Department. The attack also hit the Health, Education, Labour, Environment, ICT, Tourism and Interior ministries. This breach reveals a troubling pattern of negligence. While the government works to restore these critical platforms, a deeper look shows that these Kenya government cyber attacks were entirely predictable. The Office of the Auditor-General has been warning about weak digital systems for years. State officials have largely ignored these detailed reports
The Cost of Ignoring Audit Warnings
Auditor-General Nancy Gathungu has repeatedly highlighted vulnerabilities at both national and county levels. Year after year, her reports have pointed out potential attack points that were essentially begging for hackers to strike. She found that essential platforms lacked basic Information and Communication Technology (ICT) frameworks, specifically flagging the citizen-facing eCitizen portal.
The report for the financial year ended June 2023 noted that eCitizen lacked key safeguards. These missing elements included:
- A comprehensive ICT policy
- An ICT steering committee
- An approved business continuity plan
- A secondary backup site
The results of these ignored warnings appeared rapidly. Days into the following financial year, a cyber-attack struck the eCitizen platform. This attack paralyzed the system and cut off access to over 5,000 government services from ministries, county governments and agencies. A Sudanese hacker group later claimed responsibility, saying they had taken down several Kenyan websites to protest what they described as Kenya’s interference in Sudan’s affairs. Then ICT Cabinet Secretary Eliud Owalo confirmed that no data was lost during the attack, though the state had essentially left the door open by ignoring audit advice.
Widespread Vulnerabilities Across Government
The problems extend far beyond eCitizen. In her report for the financial year ended June 2024, Ms Gathungu indicated that 39 National Government Constituencies Development Funds did not have ICT policies. In the same period, 13 water companies had implemented weak ICT policies and controls, leaving them open to attack by hackers.
“The absence of robust ICT frameworks increases exposure to cyber risks, compromises the safeguarding of information assets, and weakens the alignment of technology with business objectives. Ultimately this may impair operational efficiency and hinder sustained service delivery to the public,” the report stated.
The year before, someone at the Ministry of Health managed to override controls of the Integrated Finance Management and Information (IFMIS) system, creating a new account which was used to loot an undisclosed amount of taxpayers’ money.
The “PCP@Kenya” Attack
The recent attack left several state departments inaccessible. The Immigration Department, the Directorate of Public-Private Partnerships, the DCI, and the State House website were among those affected. The Hustler Fund, the Immigration State Department, the Government Press and the Nairobi City County also suffered disruptions.
The attackers made the websites inaccessible and defaced pages by altering their visual appearance and content, replacing legitimate information with unauthorised material. Attempts by users to log into the websites were met by messages that read: “Access denied by PCP”, “We will rise again”, “White power worldwide”, and “14:88 Hail hitler”.
Other websites like eCitizen, the National Transport and Safety Authority (NTSA), the Judiciary, the Kenya National Examinations Council (KNEC), and the National Police Service were not affected. Ministries such as Defence and the National Treasury also remained secure.
Communications Authority Director-General David Mugonyi had warned about this vulnerability months earlier. “The detected cyber threats can be attributed to several factors, including inadequate system patching, limited user awareness of threat vectors such as phishing and other social engineering techniques, as well as the growing adoption of AI-driven attacks and machine learning technologies by malicious actors,” he said in a report.
Interior PS Raymond Omollo confirmed that the government had regained control of the attacked websites. “The attack is suspected to have been carried out by a group identified as PCP@Kenya. The government initiated its incidence response and recovery efforts, supported by various stakeholders to mitigate the effects of the incident and restore accessibility to the affected websites,” Mr Omollo said in a statement.
He added that the attack is in breach of Kenyan and international laws, including the Computer Misuse and Cybercrimes Act, the Kenya Information and Communications Act and the Data Protection Act. Those found culpable will face the full force of the law.
Financial Implications and the Private Sector
The ripple effect of weak cybersecurity extends well beyond government portals. The lack of robust controls has serious financial consequences that affect both public and private sectors.
According to the Communications Authority of Kenya, there were 842 cyber threat events between July and September alone. Most of the attacks exploited system vulnerabilities. Six years ago, cyber attacks in the country stood at 7.7 million annually. A January 2023 report by the authority shows that the most targeted industries in Kenya are financial services, healthcare, education, energy and utilities, as well as government agencies.
The private sector has borne a heavy financial burden. A Central Bank of Kenya report showed that Kenyan banks lost Sh1.59 billion to hackers in 2024 alone. Reported attacks rose to 353 from 173 in 2023, nearly doubling in just one year.
Cytonn Umbrella Retirement Benefits Scheme (CURBS)
The Way Forward
The surge in Kenya government cyber attacks serves as a stark wake-up call. Since 2018, when Edward Ouko was Auditor-General, the office has issued several warnings. Many of these have gone ignored. Even when implemented, efforts have been half-hearted at best.
The Auditor-General’s warnings are clear: weak ICT frameworks compromise information assets and hinder service delivery. The government must move beyond reactive firefighting and finally implement the structural reforms outlined in these reports. The warnings have been there, detailed and specific. The question now is whether they will be heeded before the next breach occurs.
