ON 6 MARCH, something quietly broke inside the Namibia Airports Company.
The company described it as a limited disruption.
The full picture only surfaced on 19 March, when the INC Ransomware Group announced the attack and the Namibia Cyber Security Incident Response Team confirmed it.
Communications Regulatory Authority of Namibia (Cran) spokesperson Mufaro Nesongano said the attackers claimed to have exfiltrated approximately 500GB of data, including financial records, human resources information, customer data and contact details.
It said this made the airports company the second Namibian victim of the INC Ransomware Group after an incident at the Otjiwarongo municipality.
Weeks later the company confirmed that the data, including airport permit system files and engineering documents, had been dumped on the dark web.
Flights kept landing throughout.
Nothing showed on the runway, and that is exactly the problem.
A breach that disrupts nothing you can see is easy to ignore.
It was not the first time.
In December 2024, Telecom Namibia lost 626GB of data to the Hunters International ransomware group, exposing more than 490 000 files and affecting customers at eight government ministries, five regional councils and 10 municipalities.
In October 2025, the Namibia Students Finance Assistance Fund published the personal details of more than 7 000 students on its own website.
Paratus was hit in early 2025.
Telecoms, municipalities, student funding, airports.
The targets vary.
The weakness does not.
Meanwhile, the country is accelerating its shift online.
The sixth National Development Plan (NDP6)wants internet use up from 53% to 90% by 2030, with government services fully digital.
The Bank of Namibia is preparing to launch its Instant Payment System (IPS), starting with social grants paid straight to pensioners.
More than 40% of Nedbank Namibia’s clients already bank through digital channels. Namibians file taxes through Itas, register companies through the Business and Intellectual Property Authority and apply for passports online.
The economy, and the identity of every citizen, is being poured into systems connected to the internet.
The locks have not kept pace. The ITU’s 2024 Global Cybersecurity Index placed Namibia in Tier 4, the “evolving” band, with a score of 37.93 out of 100.
NDP6 itself admits the country’s cyber readiness is 37 against a 2030 target of 65.
The cost is already measurable.
The Bank of Namibia’s 2025 annual report put banking fraud losses at N$73.9 million for the year, up from roughly N$8.7 million in 2020.
Cybersecurity is economic infrastructure.
Namibia budgets for roads, electricity, water and broadband because the economy cannot run without them.
Digital security now belongs in the same category, with line items, timelines and accountable owners.
A stolen bank card is cancelled and replaced within days.
A date of birth or a fingerprint cannot be reset.
Once that information leaks it stays leaked, available for fraud for the rest of a person’s life.
Start with the laws. The data protection bill has been drifting since 2013, the cybercrime bill nearly as long.
After every breach, Cran repeats the same line: Namibia has no law compelling institutions to protect the data they hold.
In contrast, South Africa’s Information Regulator can fine an organisation up to R10 million and has started doing so.
Namibia cannot fine anyone for anything.
Then set minimum standards for any institution that holds citizen data or moves citizen money, and test against them.
Multi-factor authentication, patching, offline backups and a rehearsed incident response plan make the difference between a contained incident and a national headline.
An untested control is an assumption, and attackers specialise in assumptions.
There are jobs in this. Youth unemployment is 44.4% yet much of the specialist security work on Namibian systems is contracted outside the country.
Every breach handled from abroad exports the fee and the experience.
Road tenders carry local content rules because the spending is meant to develop the country as well as the asset.
Hold security spending to the same standard, and the computer science and information technology graduates Namibia is producing will have somewhere to go.
And remember who carries the risk.
As grants move onto the IPS, the most exposed users are pensioners, informal traders and rural Namibians, those newest to digital tools and least able to absorb a loss.
Security that ignores them simply shifts risk onto those who can least afford to carry it.
No country would open a port without customs, security and safety systems.
Namibia is opening the largest port it has ever built, a digital one through which its money and its identities now flow, while still debating whether locks are worth the cost.
Criminals have answered that question already.
They keep returning because it works.
The honest measure of the country’s digital transformation will not be how many Namibians get connected.
It will be how many can be kept safe.
– Lian Aldrich is co-founder of Aphotic Cyber Security, a Namibian penetration testing and offensive security company.
