Justicia Shipena and Shelleygan Petersen
The Namibia Student Financial Assistance Fund (NSFAF) says it was unaware that personal information of more than 7 000 students had surfaced publicly.
The Windhoek Observer obtained a document containing names, surnames, NSFAF identity numbers, Namibian IDs, mobile numbers, email addresses, academic details, country and institution of study, student numbers, loan and grant information, as well as non-tuition fees.
When approached on Tuesday, acting NSFAF chief executive officer Kennedy Kandume denied any data leak or hack.
“I am not aware of such,” he said.
After being shown the document, Kandume denied that the information came from NSFAF.
“I would have to really investigate and find out the source and the legitimacy of that list. We don’t find students in Afghanistan. Of course, the majority of them are studying at local institutions as indicated and so on, but the mere fact that there is an indication means there is a lot of inaccurate information in that list,” he said.
On Thursday, the Namibia Cyber Security Incident Response Team (NAM-CSIRT), housed at the Communications Regulatory Authority of Namibia (Cran), confirmed that NSFAF had experienced a data breach.
The team said personally identifiable information of students had been published on the NSFAF website.
Cran’s executive for communication and consumer relations, Mufaro Nesongano, said an investigation is underway to determine the root cause and scope of the breach.
He confirmed that the file was no longer accessible online.
“NAM-CSIRT is currently unable to confirm whether this incident involves ransomware. However, this remains a key focus of our investigation,” he said.
Nesongano added that the incident highlighted the urgent need for national data protection laws.
“Strengthening our legislative infrastructure is essential to ensure accountability, transparency, and the protection of personal information in the digital age.”
The Ministry of Information and Communication Technology (MICT) said three months ago that the data protection bill was under review by the cabinet committee for legislation.
In August, the ministry indicated the bill would be tabled in September, but it did not reach parliament.
The bill is aimed at safeguarding individual rights, strengthening public trust in digital platforms, and creating a safer online environment.
NAM-CSIRT head Emilia Nghikembua said updates would be provided as investigations progress.
“We are treating this matter with the utmost seriousness and will provide further updates as more information becomes available,” she said.
Digital strategist Paul Rowney said organisations often do not know their data has been leaked until they are alerted.
“I don’t think we can fully understand what these people (hackers) can do with our data,” he said.
He referred to a recent hack in the United Kingdom, where criminals targeted the Kido nursery chain, exposing the personal data of more than 8 000 children and demanding ransom.
Government websites exposed to hackers
A recent independent cybersecurity expert also warned of “significant security flaws” across more than 20 Namibian government-run websites. The expert found that many systems run on outdated technology and lack proper maintenance.
Cybersecurity specialist Nrupesh Soni said a successful attack on a government site would have severe consequences.
“Citizens could suddenly find themselves locked out of essential services such as healthcare records, social grants, or identity documents,” he said.
He warned that personal details could be leaked, fuelling identity theft, and that trust in the state would be damaged.
“Investor confidence takes a hit, international credibility falters, and the nation finds itself vulnerable not just to hackers but to political and economic instability.”
Soni said governments must go beyond traditional defences.
“Zero Trust Architecture, where every access request is verified as if it comes from an untrusted network, must become the standard. Artificial intelligence and machine learning should be used to detect unusual behaviour in real time. And civil servants’ accounts must be protected through strong Identity and Access Management and multi-factor authentication,” he said.
The NSFAF breach comes as the fund is expected to be integrated into the Ministry of Education this month.
It follows another hacking incident last December, when Telecom Namibia fell victim to a ransomware attack by a group known as Hunters International, which leaked sensitive customer data after the company refused to pay.
