- Sensitive, non-public AFRINIC member contact list revealed in mass email error by Smart Africa.
- Breach raises questions about how Smart Africa obtained the data and possible unauthorised sharing from within AFRINIC.
In another blow to confidence in Africa’s internet governance institutions, Smart Africa has triggered a major data breach that could have severe consequences for AFRINIC and its members.
The incident occurred when Djibril Dème, project manager at Smart Africa, sent an email titled “Invitation – Online Consultation Session on AFRINIC Elections & CAIGA Framework.” Instead of placing recipients in the bcc field, Dème entered them in the “to” field, exposing every email address to every other recipient — and potentially to anyone who obtained the email later.
How did Smart Africa get this data?
AFRINIC members’ email addresses are not public. Smart Africa is not known to have a legitimate or legal reason to possess them. If the list was obtained directly or indirectly from AFRINIC, this would point to an internal breach or the unauthorised sharing of private member data — a serious matter that demands urgent investigation.
Also read: Why the AFRINIC dispute is about more than IP addresses – it’s about freedom
Why this is serious
The exposed addresses are, for many AFRINIC members, the primary, and often only, non-public point of contact for secure registry operations. Losing control of that information also loses a key protection that prevents misuse of the registry’s functions.
The breach reveals AFRINIC members’ non-public contact details, critical to registry security.
The exposure opens the door to spam, phishing, and targeted cyberattacks.
The possession of the list by Smart Africa raises questions about possible internal AFRINIC data leaks.
Legal risks span multiple jurisdictions with strict data protection laws.
Also read: Mauritius at a crossroads: How the fight over internet governance mirrors a battle for democracy
Privacy, security, and legal risks
With the list now exposed, members face the likelihood of spam and targeted phishing attempts. Attackers could impersonate AFRINIC or related bodies to trick recipients into revealing passwords, transferring funds, or granting network access.
The legal ramifications are potentially severe. AFRINIC members are spread across countries with strong privacy regimes, from Mauritius’ Data Protection Act to the EU’s GDPR in European-linked territories. Disclosing personal or corporate contact information without consent can result in investigations, fines, and civil claims.
The key unanswered question is whether Smart Africa lawfully obtained the list in the first place. Without a clear legal basis, holding or using the data could itself be a violation, regardless of the accidental exposure.
Also read: Secret AFRINIC ‘Reforms Committee’ sparks fresh concerns over internet governance in Africa
Another crisis for AFRINIC
For AFRINIC, this breach comes on top of a turbulent year. Its June 2025 board election was annulled after a dispute over a single vote and allegations of proxy manipulation. The organisation is under court supervision, and ICANN president and CEO Kurtis Lindqvist has publicly criticised its governance, prompting accusations that he is attempting to exert undue influence over the registry.
Now, with its members’ private data in the hands of an external body — and apparently mishandled — AFRINIC faces deeper questions about whether it can safeguard its most sensitive operational information. If the data came from inside AFRINIC, the breach is not only a communications blunder by Smart Africa but also a sign of weak internal controls.
Also read: ICANN or ICan’t? CEO Lindqvist chooses dictatorship over democracy in AFRINIC
Smart Africa’s accountability
For Smart Africa, the error is basic but consequential. Mass email systems should default to secure sending practices, and sensitive lists should be handled with strict access controls. This lapse undermines Smart Africa’s credibility as a champion of Africa’s digital transformation and raises questions about its data governance standards.
The organisation now faces two urgent tasks:
- Explaining how it obtained AFRINIC’s member contact list.
- Publicly acknowledging the breach and notifying all affected parties.
Without transparency on both counts, trust will continue to erode.
Also read: Mauritian judge barred from investigating AFRINIC amid pre-election turmoil
Risk of wider fallout
The breach also poses a strategic threat to the African internet ecosystem. With a verified list of AFRINIC members in circulation, rival groups could attempt to set up alternative registries or directly solicit AFRINIC’s customers. That could fragment the registry system, create conflicting IP address records, and damage the stability of internet operations in the region.
Smart Africa’s role in internet governance
Smart Africa is an African Union-backed initiative bringing together more than 30 member states to accelerate digital transformation. Its focus areas include broadband expansion, policy harmonisation, and ICT investment.
While it has no formal authority over AFRINIC, Smart Africa has become increasingly active in internet governance debates, including AFRINIC elections and policy processes. The group has also been linked to proposals to relocate AFRINIC’s headquarters from Mauritius to Rwanda — a move that has divided the AFRINIC community.
Against this backdrop, the possession and mishandling of AFRINIC members’ private data is not just a technical slip. It cuts to the core of trust between two influential players in Africa’s digital future. The community will now be looking for swift, transparent action from both organisations to explain what happened, protect members from harm, and ensure that such a breach cannot occur again.
