AFRINIC community raises concern over Smart Africa data breach

AFRINIC community is a public record based on article evidence, entity context, event links, and relationship context.

Most respondents who answered say they are concerned and deny sharing details with Smart Africa. Several link their concern to attempted vote mobilisation and poor email hygiene. Survey findings: Concern dominates, consent is disputed A few weeks ago, Smart Africa leaked thousands of email addresses belonging to AFRINIC members and resource holders. BTW Media investigated how such a privacy breach could occur. Our first Special Report showed how the majority of those email address owners claimed never to have given Smart Africa consent to use their address for communications.

Our interviews show a clear pattern: the overwhelming majority of people who responded registered their concern about Smart Africa’s visible-recipient email and say they never provided their contact details to Smart Africa. Some highlight that the outreach coincides with efforts to influence governance outcomes—specifically, drives for voting—which heightens their unease about how the list is compiled and used.

A very smaller cohort push back, arguing that their addresses are purposefully public for Internet operations (for example, as resource abuse or technical contacts) and therefore the message, while clumsy, does not amount to a breach for them. Even among this group, several call the handling “very poor” and question why. Also read: Smart Africa leaks thousands of AFRINIC member email addresses Public data vs non-public lists: Why the distinction matters Two datasets frequently get conflated in this debate.

First, WHOIS/IRR contact entities are designed to be public so operators can reach engineers in real time about routing incidents, abuse, and registry changes. Those entries—admin-c, tech-c, abuse—are operational conduits, not general-purpose mailing lists. Second, member email lists curated by a registry (or a third party) are not ordinarily published in bulk. Operational transparency is not blanket consent for policy campaigning or mass outreach. The outcry therefore focuses less on the visibility of any single contact and more on Smart Africa’s possession and exposure of a consolidated, AFRINIC-aligned list with unclear provenance.

Legal and security implications: Material risk exists Whether a specific recipient views the incident as a breach or not, the risk environment changes once a large, registry-adjacent address set is widely visible. Phishing campaigns thrive on topical hooks; an email referencing elections, resource validation, or “account updates” can credibly solicit passwords, route authorisations, or payment metadata. Jurisdictionally, data protection regimes in Mauritius and the EU place obligations on controllers when personal data is exposed in a way that is likely to result in risk to individuals.

If any part of the list draws on non-public member records—directly or indirectly—questions arise about the lawful basis for processing, purpose limitation, and disclosure to third parties. Even if Smart Africa compiled the list from operationally public sources, it still must apply appropriate technical and organisational measures to prevent accidental disclosure. What Smart Africa must answer now Provenance and legal basis. How is the list assembled? Was any member-record data shared from within AFRINIC or its service providers? What is the lawful basis for holding and using it, and who is the controller? Breach response.

Has Smart Africa initiated a documented incident response, including notifying affected recipients of heightened phishing risk, rotating any mailing credentials, and auditing access to the list?whats the future safeguards? Why some remain unconcerned—and why that does not settle it Those who are not concerned typically cite one of two reasons: (a) their address is public by design (they expect to be reachable for network operations), or (b) they assess no significant harm in this instance. WHOIS transparency supports Internet reliability. But they do not negate the core issues raised by others: consent, purpose, and competence.

Even if a subset of addresses are public, the creation, retention, and accidental exposure of a bulk, AFRINIC-targeted list by a non-registry actor still demands scrutiny and, at minimum, better controls. The governance backdrop: Why trust is at stake The episode unfolds amid continuing disputes over AFRINIC’s governance and elections. Several interviewees frame the email in that context—asserting that the list was used to shape voting outcomes—and argue that Smart Africa’s behaviour erodes confidence at a sensitive moment.

Regardless of one’s view of the governance dispute, trust in data stewardship is a prerequisite for constructive engagement. Smart Africa aspires to continental leadership on digital transformation; that role carries heightened responsibilities around privacy, security, and communications discipline. Bottom line The responses to our question are mixed, but the centre of gravity is clear: most who replied are concerned, deny consent, and want a transparent accounting of how their details were obtained and exposed. A minority view as less worry, yet still criticise the way the message is sent.

Until Smart Africa explains the list’s origin and upgrades its practices, scepticism from AFRINIC’s community is both predictable and justified.