Telecom Namibia data breach exposes thousands to cyber risks

WINDHOEK, Namibia, 17th December 2024 — The recent ransomware attack on Telecom Namibia by the cybercriminal group Hunters International has raised critical concerns regarding the company’s data security practices, customer privacy, and the broader responsibility of organisations to safeguard sensitive information. The incident has highlighted significant gaps in Namibia’s regulatory framework and underscored the escalating risks in the country’s cybersecurity landscape.

On 11 December 2024, Telecom Namibia became the target of a ransomware attack orchestrated by Hunters International, a group known for its ransomware-as-a-service operations.

During the breach, the attackers exfiltrated approximately 626.3GB of data, comprising 492,633 files containing sensitive customer records. This data included identification documents, residential addresses, and banking details.

After Telecom Namibia refused to comply with the ransom demands, the attackers followed through on their threat and released the stolen information on the dark web on 13 December 2024. Within days, the leaked records began circulating on social media platforms, compounding the risks for affected individuals.

For customers of Telecom Namibia, this breach has far-reaching consequences beyond corporate embarrassment. The exposure of personal data has created a significant privacy crisis, with individuals facing increased risks of identity theft, financial fraud, and phishing scams.

Leaked bank details and identification numbers can easily be exploited by malicious actors to launch targeted attacks, stealing additional financial information or even impersonating individuals to access credit or loans.

The public circulation of this data on social media heightens these dangers, making customers more susceptible to convincing scams that could have devastating financial and psychological effects. The incident also raises concerns about long-term risks to customers' financial security and creditworthiness, as the fallout from data breaches often lingers for years.

Namibia’s lack of enforcement of its Data Protection Act further compounds the problem, leaving customers without statutory recourse or protections. While the Act exists in principle, its lack of implementation means that individuals cannot rely on fines or penalties being imposed on organisations for failing to protect personal information.

In the absence of statutory safeguards, affected individuals may need to rely on common law principles, such as claims of negligence, to seek damages for Telecom Namibia’s failure to adequately secure their data.

The reputational damage to Telecom Namibia cannot be overstated. The public release of sensitive customer records has undermined trust in the telecommunications provider, which now faces significant challenges in restoring its credibility. The breach could also expose Telecom Namibia to legal action, particularly under claims of negligence for failing to implement sufficient cybersecurity measures. Financial losses are another likely outcome, as the company may experience reduced business from customers wary of its data protection practices. The costs of investigating the breach, managing its aftermath, and implementing stronger security systems will add to the financial burden.

In response to the incident, Telecom Namibia Chief Executive Officer Stanley Shanapinda acknowledged the breach and assured customers that the company is working with both local and international cybersecurity experts to assess the full scope of the attack. Shanapinda also reaffirmed that safeguarding customer information remains a priority, though the company now faces intensified scrutiny over its internal data protection controls.