What Happens When We Disregard ICT4D Cybersecurity Risks
What Happens When We Disregard ICT4D Cybersecurity Risks
Publish Date: 2026-04-30 00:48:00
Source Domain: www.ictworks.org
The development sector is proud of what it has built. DHIS2 runs national health information systems in more than 80 countries. CommCare supports community health workers at scale. Safaricom-backed M-Tiba distributed insurance benefits and government health subsidies to millions of Kenyans. These are real achievements.
They are also real targets.
In October 2025, a threat actor claimed to have stolen more than 2.15 terabytes of data from M-Tiba’s servers, including patients’ names, national ID numbers, dates of birth, phone contacts, medical diagnoses, and billing information, affecting up to 4.8 million users.
Kenya’s Office of the Data Protection Commissioner confirmed it had opened an investigation. This happened two months after M-Tiba announced it had received ISO 27001 certification for its information security management.
In June 2024, the BlackSuit ransomware group brought down South Africa’s National Health Laboratory Service after a single employee clicked a phishing link. The NHLS runs 265 laboratories serving roughly 80% of South Africa’s population.
The attack delayed an estimated 6.3 million blood tests. HIV, TB, and mpox diagnostics stalled. The NHLS later admitted its systems were “in no way geared to counter” the attack.
No donor has been held accountable for either failure. No implementing partner has faced a regulatory penalty. The people whose data was exposed had no notification, no legal recourse, and no recourse at all.
That is the scandal. Not the breaches. The accountability structure that makes them inevitable.
We’ve Known of Cybersecurity Threats for Years.
USAID formally recognized cybersecurity as a development challenge in its 2020 Digital Strategy. Its 2023 Cybersecurity Primer stated that every USAID activity and program must consider cybersecurity as a strategic and operational matter. The Principles for Digital Development include a dedicated principle on privacy and security.
None of this requires…
