M-Pesa, Key Govt Services Unavailable as Kenya Grapples With Cyberattack

Kenyans were yesterday unable to access vital services such as buying electricity tokens, transacting on M-Pesa, digital banking, and several government services on e-Citizen due to a cyber-attack that targeted both public and private institutions. 

The outage of M-Pesa services had major impacts on various sectors including revenue collection such as parking fees by counties. The incident has raised concerns about Kenya’s readiness for a complete shift towards digital payments. In the financial year leading to March 2022, M-Pesa transacted about Sh29.55 trillion equivalent to Sh81 billion daily, underlying the impact of the disruption.

Safaricom, the company that operates M-Pesa, has not commented on the cause of the disruption. Kenya Power experienced a system failure due to a network outage at its payment service provider which left thousands of the utility’s prepaid customers unable to purchase their tokens via M-Pesa and USSD code *977#. Standard Chartered Bank Kenya was among the banks whose digital banking systems were affected. 

Train services were also disrupted with Kenya Railways stating that the network outage by its service provider impacted ticket purchases. The National Transport and Safety Authority (NTSA) also confirmed that its services had been attacked. Yesterday at 6:30 pm, the Interior Ministry announced that the e-Citizen platform had resumed all services after a period of downtime since July 23, 2023. The platform had been launched by President William Ruto to improve government efficiency and downsize corruption. However, a recent hack has highlighted the risks of digitization as sensitive data belonging to individuals and government agencies are feared to be lost. 

Despite previous claims that the system had only experienced intermittent disruptions due to attempts to overload it, the government has now confirmed that the platform was hacked. The attack caused a Distributed Denial of Service (DDoS), resulting in a web server error message for anyone trying to access e-Citizen. The government has assured Kenyans that they are working to resolve the issue and secure the site to prevent further attacks.

The National Computer and Cybercrime Coordination Committee (NC4) had warned various agencies about an impending attack and advised them to take necessary precautions. The NC4 had noticed a significant increase in hacking attempts targeting critical information infrastructure (CII) and had informed the authorities about it. The attack that occurred on Monday disrupted the processing of e-visas, with the Foreign Affairs Principal Secretary Korir Sing’oei suggesting that travellers opt for visa-on-arrival services. Anonymous Sudan claimed responsibility for the attack on social media and stated that it was targeting other government digital services. However, this claim is yet to be verified.