 confirmed in its latest financial report (PDF) that cyberattacks disrupted its systems){kind=link}
Kenya’s National Social Security Fund (NSSF) confirmed in its latest financial report (PDF) that cyberattacks disrupted its systems, delaying $17 million in benefit payments.
The agency, which manages retirement savings for more than 2.9 million members, had previously denied any breach after a hacker known as “Devman” claimed in 2025 to have accessed its systems. The latest audit acknowledges the cyber incidents affected critical infrastructure, leaving many workers’ payments pending.
NSSF was expected to distribute $84 million in benefits for the financial year but paid only $67 million. Year-on-year payouts fell by $7.7 million, underscoring operational disruptions caused by system outages.
The breach exposed gaps in the fund’s digital infrastructure. A $1 million Data Recovery Centre meant to provide backup and disaster recovery was still under construction when the attacks occurred in May 2025. Additionally, a delayed $1.3 million upgrade to the NSSF Member Self-Service Portal (SAP/SSPAS) left the system vulnerable on outdated technology.
Cybersecurity experts warn that public institutions in Africa face rising attacks as digital services expand faster than protective measures. Similar breaches have targeted government agencies in South Africa, banks and public institutions in Nigeria, and telecoms and financial firms across the continent.
The NSSF incident highlights the risks of rapid digitalisation without robust cybersecurity, emphasizing the need for early breach detection, functioning disaster recovery, and timely technology upgrades. As African governments digitise pensions, tax, and benefits systems, incidents like NSSF’s illustrate the high stakes for millions of citizens.