Smart Africa leaks thousands of AFRINIC member email addresses

• Sensitive, non-public AFRINIC member contact list revealed in mass email error by Smart Africa.
• Breach raises questions about how Smart Africa obtained the data and possible unauthorised sharing from within AFRINIC.

In another blow to confidence in Africa’s internet governance institutions, Smart Africa has triggered a major data breach that could have severe consequences for AFRINIC and its members.

The incident occurred when Djibril Dème, project manager at Smart Africa, sent an email titled “Invitation – Online Consultation Session on AFRINIC Elections & CAIGA Framework.” Instead of placing recipients in the bcc field, Dème entered them in the “to” field, exposing every email address to every other recipient — and potentially to anyone who obtained the email later.

How did Smart Africa get this data?

AFRINIC members’ email addresses are not public. Smart Africa is not known to have a legitimate or legal reason to possess them. If the list was obtained directly or indirectly from AFRINIC, this would point to an internal breach or the unauthorised sharing of private member data — a serious matter that demands urgent investigation. See also: AfriNIC's Vanishing Member register.

Also read: Why the AFRINIC dispute is about more than IP addresses – it’s about freedom

Why this is serious

The exposed addresses are, for many AFRINIC members, the primary, and often only, non-public point of contact for secure registry operations. Losing control of that information also loses a key protection that prevents misuse of the registry’s functions.

The breach reveals AFRINIC members’ non-public contact details, critical to registry security. See also: Alejandro Fernandez.

The exposure opens the door to spam, phishing, and targeted cyberattacks. See also: Aldo Garcia.

The possession of the list by Smart Africa raises questions about possible internal AFRINIC data leaks. See also: Alcymer Vieira.

Legal risks span multiple jurisdictions with strict data protection laws. See also: Alcides Cremonezi.

Also read: Mauritius at a crossroads: How the fight over internet governance mirrors a battle for democracy

Privacy, security, and legal risks

With the list now exposed, members face the likelihood of spam and targeted phishing attempts. Attackers could impersonate AFRINIC or related bodies to trick recipients into revealing passwords, transferring funds, or granting network access. See also: Alberto Anaya.

The legal ramifications are potentially severe. AFRINIC members are spread across countries with strong privacy regimes, from Mauritius’ Data Protection Act to the EU’s GDPR in European-linked territories. Disclosing personal or corporate contact information without consent can result in investigations, fines, and civil claims. See also: Albert Kis.

The key unanswered question is whether Smart Africa lawfully obtained the list in the first place. Without a clear legal basis, holding or using the data could itself be a violation, regardless of the accidental exposure.

Also read: Secret AFRINIC ‘Reforms Committee’ sparks fresh concerns over internet governance in Africa

Another crisis for AFRINIC

For AFRINIC, this breach comes on top of a turbulent year. Its June 2025 board election was annulled after a dispute over a single vote and allegations of proxy manipulation. The organisation is under court supervision, and ICANN president and CEO Kurtis Lindqvist has publicly criticised its governance, prompting accusations that he is attempting to exert undue influence over the registry.

Now, with its members’ private data in the hands of an external body — and apparently mishandled — AFRINIC faces deeper questions about whether it can safeguard its most sensitive operational information. If the data came from inside AFRINIC, the breach is not only a communications blunder by Smart Africa but also a sign of weak internal controls.

Also read: ICANN or ICan’t? CEO Lindqvist chooses dictatorship over democracy in AFRINIC

Smart Africa’s accountability

For Smart Africa, the error is basic but consequential. Mass email systems should default to secure sending practices, and sensitive lists should be handled with strict access controls. This lapse undermines Smart Africa’s credibility as a champion of Africa’s digital transformation and raises questions about its data governance standards.

The organisation now faces two urgent tasks:

1. Explaining how it obtained AFRINIC’s member contact list.
2. Publicly acknowledging the breach and notifying all affected parties.

Without transparency on both counts, trust will continue to erode.

Also read: Mauritian judge barred from investigating AFRINIC amid pre-election turmoil

Risk of wider fallout

The breach also poses a strategic threat to the African internet ecosystem. With a verified list of AFRINIC members in circulation, rival groups could attempt to set up alternative registries or directly solicit AFRINIC’s customers. That could fragment the registry system, create conflicting IP address records, and damage the stability of internet operations in the region.

Smart Africa’s role in internet governance

Smart Africa is an African Union-backed initiative bringing together more than 30 member states to accelerate digital transformation. Its focus areas include broadband expansion, policy harmonisation, and ICT investment.

While it has no formal authority over AFRINIC, Smart Africa has become increasingly active in internet governance debates, including AFRINIC elections and policy processes. The group has also been linked to proposals to relocate AFRINIC’s headquarters from Mauritius to Rwanda — a move that has divided the AFRINIC community.

Against this backdrop, the possession and mishandling of AFRINIC members’ private data is not just a technical slip. It cuts to the core of trust between two influential players in Africa’s digital future. The community will now be looking for swift, transparent action from both organisations to explain what happened, protect members from harm, and ensure that such a breach cannot occur again.