Kenya at high risk as cyberattacks continue to plague businesses

Kenya reported over 56 million cyber threats for the quarter ended December 2020.

In Summary

• Kenya is among African countries facing a possible increase in cybercrime in 2021, amid economic uncertainty occasioned by the Covid-19 pandemic.

• Malware attacks were the highest at 46 million, followed by web application attacks at 7.8 million while 2.2 million Distributed Denial of Service(DDOS) out of the threats detected by the National Computer Incident Response Team Coordination Centre.

Most users do not understand the risks of falling into the hands of hackers, who may distribute deadly malware, plant sophisticated viruses or infected software on their mobile phones or computers without notice.
Most users do not understand the risks of falling into the hands of hackers, who may distribute deadly malware, plant sophisticated viruses or infected software on their mobile phones or computers without notice.

Last week the cybersecurity debate once again dominated social media platforms after intruders infiltrated Kenya's world cancer day virtual meeting and posted obscene pictures.

The event was attended by Health CS Mutahi Kagwe, doctors and other stakeholders.

The meeting had just started at around 10:50 am and the only person who had spoken was Oncologist David Makumi.

It was at this point that the intruders took control of the platform and posted explicit images, obscene messages and videos prompting the organisers to end the meeting.

A screen shot of a virtual meeting that was intruded by hackers last week
A screen shot of a virtual meeting that was intruded by hackers last week

In June 2020, an Egyptian bus operator SWVL suffered a data breach that impacted over four million members of their services.

The breached data included names, email addresses, phone numbers, profile photos, partial credit card data and passwords stored as bcrypt hashes all of which was subsequently shared extensively throughout the online hacking communities.

The data was provided to HIBP by

On the same day, some 501 websites were hacked affecting 10,587,144,426 accounts.

With new technology and increasing Internet connectivity and activities, hackers are working round the clock to trap unsuspecting Internet consumers.

As a result, information sharing has increasingly impacted our daily lives, improving communication networks across the country.

While some Kenyans prefer accessing their accounts directly using mobile data bundles, others use their company's WiFi, which is a bit secure compared to public WiFi.

Most users do not understand the risks of falling into the hands of hackers, who may distribute deadly malware, plant sophisticated viruses or infected software on their mobile phones or computers without notice.

On 16 November 2020, Immaculate Kassait former IEBC director in-charge of voter education and partnerships took her oath of office as Kenya's first Data Protection Commissioner.

This marked a great milestone in the history of Kenyan legislation with the enactment of the long-awaited Data Protection Act, 2019.

Over the years, Kenya had no law that focused on incidents of cybersecurity but depended on the Kenya Information and Communication Act of 1998 (KICA) which included cybersecurity-related provisions that prohibited various actions that would threaten cybersecurity.

These provisions prescribed criminal penalties for the same, ranging between a fine of Sh200,000 to Sh1 million and/or a jail term of up to five years.

Although KICA provisions were useful in the war against cybercrime, ICT experts said a lot needed to be done at the legislative and policy levels to help stem the tide of cyberattacks.

The bill, gazetted in 2016 proposed to consolidate the law on cybercrime and to establish the National Cyber Security Response Unit, a governmental agency that will have powers to investigate incidents of cyberattacks. 

As a result, data controllers and processors were unable to fully comply with certain obligations under the Act, such as the requirement to register with the Data Commissioner, conducting a Data Protection Impact Assessment, or approval of safeguards prior to any cross-border transfers.

The appointment of Kassait marked the start of a long and complicated journey in enforcing these data protection principles.

Section 8 of the Act sets out the functions of the Data Protection Commissioner including overseeing the implementation of and be responsible for the enforcement of the Act.

Others are establishing and maintaining a register of data controllers and data processors, exercising oversight on data processing operations, either of own motion or at the request of a data subject, and verifying whether the processing of data is done in accordance with the Act.

Other functions are promoting self-regulation among data controllers and data processors, conducting an assessment, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether the information is processed according to the provisions of the Act or any other relevant law, receiving and investigating any complaint by any person on infringements of the rights under the Act and taking such measures as may be necessary to bring the provisions of the Act to the knowledge of the general public.

Also included are carrying out inspections of public and private entities with a view to evaluating the processing of personal data, promoting international cooperation in matters relating to data protection and ensure country’s compliance on data protection obligations under international conventions and agreements.

Another function is undertaking research on developments in data processing of personal data and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals are also among the functions.

Despite this, cyberattacks continue to plague many business enterprises across the country.

Many banks are grappling with online hacking that is estimated to cost the economy billions of shillings each year.

But it's not banks alone that should be worried. Cybercriminals are spreading their tentacles to all facets of our digital life.

The Star has established that there is an increase in cases of cyber espionage operations, computer network attacks, online theft, hacking, identity theft, impersonification and online fraud.

Kenya reported more than 56 million cyber threats for the quarter ended December 2020, according to the latest Communication Authority (CA) data.

This is a 59 per cent increase from 35.2 million threats detected in the previous quarter.

Malware attacks were the highest at 46 million, followed by web application attacks at 7.8 million while 2.2 million Distributed Denial of Service(DDOS) out of the threats detected by the National Computer Incident Response Team Coordination Centre.

The increase in cybercrime was recorded in the wake of the Covid-19 pandemic which saw many people operate online and increased uptake of e-commerce.

“The pandemic is one of the major reasons for the increased cybercrime as many people accessed services online, however as a country, we are moving towards digital transformation, therefore, we are working to ensure people learn to safeguard themselves in the digital space,” said CA acting Director-General Mercy Wanjau.

The ICT Cabinet Secretary, Joe Mucheru expressed concern about a possible increase in the volume of cybercrime in the country in the lead-up to the upcoming BBI referendum and the 2022 general elections.

Mucheru called on CA to liaise with relevant state agencies and private sector players to manage escalating cases of cybercrime.

According to global cybersecurity firm–Kaspersky, Kenya is among African countries facing a possible increase in cybercrime in 2021, amid economic uncertainty occasioned by the Covid-19 pandemic.

While the increase in these crimes will vary by country, African nations must prepare themselves for the inevitability of increases in malware that already topped 28 million by August last year, according to Kaspersky research.

Kaspersky security solutions in September reported 28 million malware attacks in 2020 and 102 million detections of potentially unwanted programs (pornware, adware among others), where South Africa, Kenya and Nigeria were the most affected.

This led to Kenya being among the top 10 countries in the continent with the highest number of people exposed to cybercrime.

Some 26.6 million cyber threats occurred between April and June in 2019, according to the National Kenya Computer Incident Response Team Coordination Centre.

Serianu Consultancy firm indicated that the country lost Sh29.5 billion from such sophisticated cybercrimes.

Another report on the state of national security indicates that by November 2020, Kenya reported six million cyber attacks that happened in 2019 targeting both government and private institutions, according to the annual report presented in Parliament.

During the year under review, the key cyber-crime incidents witnessed included SIM swap, unauthorised intrusions into IT systems commonly known as hacking, insider threat and identity theft and web application attacks with majority being motivated by financial gain.

The vice according to the report was prevalent within key government ministries, departments and agencies, savings and credit cooperative societies, banks and telecommunication service providers.

Some 1,203 cases were examined at the DCI Digital Forensic Laboratory compared to 992 cases received in 2018, representing an increase of 280 cases attributed to the emerging digital trends and transnational nature of crime.

“A total of 360 cybercrime cases were presented in courts during the year under review while there are 50 other on-going network forensic investigations at the Kenya Ports Authority (KPA) offices in Mombasa and KRA offices in Nairobi and Mombasa,” read part of the report.

The report attributes limited human and capital resources such as forensic tools used at the laboratory as underlying factors that largely affected the government effort in combating cybercrimes in the country.

The cyber threat events detected varied from Denial-of-Service (DoS) attacks, which hampered the availability of computer services, to online abuse, which included online fraud, hate speech, incitement to violence and fake news.

The statistics came out after the National Youth Service  and Integrated Financial Management System (IFMIS) among a host of government websites suffered an by an Indonesia hacker group, Kurd Electronic Team.

All websites on servers powered by the Unix-based FreeBSD operating system were attacked with hackers placing their logo on the landing pages.

Judicial Service Commission (JSC), the Immigration Department, Kenya Meat Commission, Petroleum Ministry and Refugees Affairs,  National Environment Trust Fund, Department of Planning and the National Development Implementation Technical Committee were also attacked.

The attack was just a few years after an Indonesian hacker known as direxer took down over 100 government websites.

A year before, the Communications Authority of Kenya (CA) website was also hacked despite being the state agency that regulates Internet resources for public and private entities.

Their website was attacked by a group calling itself AnonPlus that replaced the regulator’s homepage with a five-point hackers’ manifesto promising to "defend freedom of information, freedom of the people and emancipation of the latter from the oppression of media and those who govern us".

In 2016, online activists who claimed ties to Anonymous said they had begun to leak documents from Kenya’s foreign ministry as part of a campaign to expose government and corporate corruption across Africa.

According to HackRead, a cybersecurity news site, a hacker affiliated with “Operation Africa” published link to a sample of 95 documents to a widely known Anonymous Twitter account, part of what it claimed was a one-terabyte stash of date from Kenya’s Ministry of Foreign Affairs and International Trade.

The sample documents could not be read using standard Web browsers but could be viewed using TOR.

What they did is they managed to send emails to people, and people clicked the links to change their credentials, and as a result they were able to access emails,” he told Reuters by phone. “Our systems have remained safe and stable
ICT CS Joe Mucheru

ICT Cabinet Secretary Joseph Mucheru then told Reuters that the attack was a phishing attack, as opposed to a hacking attack on the foreign affairs ministry’s computer systems, and that no classified material had been accessed.

He said what the hackers accessed was mostly on security clearance ‘Open’ as opposed to ‘Restricted’ or ‘Top Secret’.


Africahackon founder Dr Bright Gameli told the Star it takes about 100 days before one gets to know they have been hacked.

Gameli said hacking methodologies are also changing, with hackers devising new ways to compromise their targets.

He said hackers are now turning away from the traditional ways, where they could target those on free WiFi or connection to some network.

“Nowadays just a flask disk on your laptop or a phone charger plugged into your machine is a sure bet for any hacker seated 10m away from you to intercept your traffic,” he said, adding that hackers can even use your mouse to access your data.

Hackers may target individuals for specific reasons like online abuse or fraud. On the other hand, they may target companies or organisations to access website, emails or computer systems to disrupt the functioning.

The common attack is the Denial of Service (DoS), where the intruder disrupts the normal functioning of computer services.

But Gameli said, “Phishing has become the most prevalent ways the attackers are using. They attach malicious links to your emails and once you click on such links, they can tell how much charge you have on your battery, which websites you’ve visited and what activity you have been doing on the same sites.”

These hackers, Gameli said, will force their victims to access links they are not interested in, and subject them to popups that contain hasty information.

The IT guru said companies with more employees are at a bigger risk, as the attacker will only target one person in the company to get access to data of all other employees.

“Small startups have 50 to 100 employees, but the larger the number of employees in an organisation, the more vulnerable they are to these attacks,” he said.

Gameli said the decreasing number of cyber engineers is making the matter worse.

He said most companies have a maximum of two engineers, who are expected to protect hundreds of employees from the attacks.

This is strenuous and leaves gaps and loopholes for unsuspected attacks. Such challenges can be overcome by automation of all the processes and technology, he said. 

WATCH: The latest videos from the Star