.Kenya’s national e-Citizen payment platform-the mandatory gateway for all government service payments-operates with dangerous data security vulnerabilities that put millions of citizens’ personal information at risk, according to a damning special audit by Auditor-General Nancy Gathungu.
The report reveals fundamental gaps in the system’s IT security and governance framework, including no evidence that the platform is registered with the Data Commissioner as either a data controller or processor, despite handling extensive sensitive personal data from passport applications to marriage certificates.
Most concerning, the audit found no data protection framework outlining how the Government Digital Payments unit handles personal information, and no written contract exists between e-Citizen and its data processors.
These revelations come at a particularly sensitive time, as President William Ruto directed in August 2023 that all government service payments be channeled exclusively through e-Citizen to enhance efficiency and prevent revenue leakages.
The platform, which has been operational since 2014 but whose ownership and control have remained controversial, was subjected to a Distributed Denial of Service (DDoS) attack by hackers nearly two years ago-highlighting its vulnerability.
With Kenya’s Data Protection Act regulations enacted in March 2022 requiring all data handlers to register with the Office of the Data Protection Commissioner, the audit’s conclusion that it “could not confirm GDP controls with respect to safeguarding personal data” raises serious questions about compliance with national data protection laws and citizens’ right to privacy as the government rapidly onboards more critical services to this centralized yet inadequately secured platform.
The e-Citizen platform was designed to centralize convenience-but it now centralizes risk. As President Ruto pushes for full digital onboarding of government services, citizens are being funnelled into a system whose legal and technical safeguards lag far behind its ambition.
The DDoS attacks of 2023 were a
warning shot; this audit confirms the door is still wide open. The solution requires an overhaul: clear governance structures, mandatory audits, encrypted architecture, and binding accountability across all
processors. Because trust in digital government is built by protecting the people behind the data.
