TL;DR: A February 2026 intrusion claim against Senegal’s Directorate of File Automation involved alleged exfiltration of national identity, biometric enrollment, civil registry and backup data, with screenshots posted on a leak site but no official confirmation yet, according to Gurucul. The incident shows how sovereign identity systems create durable, high-impact risk when access, backups and biometric records are all exposed at once.
NHIMG editorial — based on content published by Gurucul covering the DAF Senegal data leak: LLMjacking: How Attackers Hijack AI Using Compromised NHIs
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: What breaks when sovereign identity records and backups are exposed together?
A: The breach stops being a single data-loss event and becomes a trust failure across every system that relies on those records.
Q: Why do biometric identity leaks create longer-term risk than ordinary credential theft?
A: Biometric data cannot be revoked or rotated in the same way as a password or token.
Q: What do security teams get wrong about backup security in identity environments?
A: They often treat backups as recovery-only infrastructure instead of sensitive identity repositories.
Practitioner guidance
- Isolate identity issuance from archival storage Separate live identity systems, civil registry stores, and backup repositories into distinct trust zones with independent access paths and audit trails.
- Treat biometric repositories as irreversible-risk assets Apply stronger segmentation, tighter privilege boundaries, and more aggressive monitoring to biometric enrollment and verification stores than to standard personal data systems.
- Rework backup governance for identity data Assume archived copies of identity records are as sensitive as production data.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- The sample data categories observed on the leak platform, including identity cards, biometric forms, birth registration files, and backup repositories
- The incident-response recommendations published by the vendor, including containment, monitoring, segmentation, and encryption guidance
- The vendor's assessment of likely attack paths such as lateral movement, privilege escalation, and backend database access
- The specific screenshots and evidence trail used to support the intelligence assessment
👉 Read Gurucul's analysis of the DAF Senegal identity data leak →
DAF Senegal data leak: what this means for identity governance?
Explore further
Identity authorities are trust infrastructure, not just data holders. When an agency responsible for national identity is breached, the issue is not limited to confidentiality loss. The real damage is that downstream systems inherit uncertainty about the validity of the records they rely on. That is why identity authorities deserve controls closer to critical infrastructure than to ordinary application security.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when a national identity authority is breached?
A: Accountability sits with the organisation that owns the identity trust chain, not only the incident response team. Governance leaders must answer for privilege design, backup protection, data classification, and downstream assurance failures across the systems that depended on the exposed records.
👉 Read our full editorial: DAF Senegal identity leak exposes systemic risk in sovereign records