DAKAR — Senegal’s Direction générale des Impôts et des Domaines (DGID) was hit by a cyberattack that disrupted online tax services and raised fears about data exposure. Authorities initially described a technical issue; however, independent reporting points to a ransomware-style incident with threats to leak stolen information. As a result, e-services were switched off at times while teams worked on containment and recovery.
At a glance
What happened: A ransomware-type attack forced DGID to limit access to online portals.
Why it matters: Even short disruptions can delay collections, refund payments, and compliance.
What’s next: Clear guidance, short filing extensions, and stronger security controls are essential.
What we know
First, the attack emerged in late September and became public in early October. Since then, DGID’s portals have been intermittently unavailable. Meanwhile, some outlets report that a group claimed responsibility and said it had exfiltrated data. The size and nature of that data are still unclear. Even so, the risk to taxpayer confidentiality is obvious.
Second, the impact extends beyond IT. Because tax systems run filing, payments, and refunds, any outage can slow cash inflows to the state and increase uncertainty for businesses. Consequently, many taxpayers turned to in-person counters or temporary procedures.
What remains uncertain
To be precise, several issues are still open. For example, we do not yet know the exact entry point, the full range of affected systems, or the final volume of data taken. In addition, we do not know whether the attackers still have access or are now operating only with stolen copies. Until DGID releases a formal, post-incident note, technical details will remain limited.
Why this case matters for Africa
Senegal’s experience mirrors a wider pattern across African revenue systems. On the one hand, digital platforms have improved registration, filing, and refunds. On the other hand, several weaknesses persist:
- Identity and access gaps. Too many systems still lack multi-factor authentication (MFA) and strong controls for administrators.
- Third-party exposure. Outsourced development, e-invoicing vendors, and payment gateways can become attack paths if contracts don’t include strict security rules.
- Legacy architecture. Older platforms are hard to patch quickly, and flat networks make lateral movement easier for attackers.
- Continuity gaps. Without frequent restore drills and multi-site redundancy, recovery takes longer and backlogs grow.
Because of these gaps, a single incident can ripple through collections, refunds, and trust—both in Senegal and across the region. Short-lived tokens for machine-to-machine traffic; strict allow-listing for batch interfaces to banks/treasury.
What taxpayers should do now
While systems stabilize, businesses can reduce risk and stay compliant:
- Use official fallback channels. If e-services are down, file and pay at designated counters. Keep stamped receipts.
- Record your attempts. Note dates and times for any failed online filings; this helps with penalty relief later.
- Refresh credentials. Change passwords, enable MFA, and review who has access—especially third-party agents.
What DGID should prioritize next
To rebuild confidence, DGID can take a few clear steps:
- Publish a short incident bulletin. Explain what is affected, how to file and pay in the meantime, and whether deadlines are extended.
- Offer targeted relief. Provide short filing extensions and waive penalties that stem from the outage.
- Commission independent forensics. Then share a high-level summary—entry vector, affected data categories, and fixes applied.
- Strengthen resilience. Enforce MFA for all staff and intermediaries, isolate admin tools from public portals, and run regular backup-restore drills.
- Update vendor contracts. Require security testing, incident-notification SLAs, code escrow, and audit rights for any external providers.
A 90-day action plan (practical and achievable)
- Lock down identities: Turn on MFA everywhere; rotate all service accounts and API keys; use privileged-access management for admins.
- Segment the network: Separate public portals, back-office, analytics, and payments. Also, isolate customs systems from core tax services.
- Prove recovery: Maintain immutable, offline backups and test full restores each quarter—including e-invoicing certificates.
- Improve visibility: Centralize logs, deploy endpoint detection, and monitor unusual admin actions.
- Communicate clearly: Announce any deadline changes and publish a brief post-mortem when safe to do so.
The opportunity in the crisis
Although the attack is disruptive, it also creates a chance to raise the bar. If DGID pairs transparent communication with visible fixes—especially stronger identity controls, clear vendor obligations, and tested recovery—trust can rebound quickly. In turn, other African tax administrations can copy this playbook and reduce their own risk.
Bottom line: The Senegal incident shows that tax systems are critical national infrastructure. Therefore, they need security and continuity measures to match. With clear guidance today and structural fixes over the next few months, DGID—and the region—can come out stronger.
