Cyber Incident Victim: Seacom

On the morning of Wednesday, May 10, 2023, services for certain Seacom business customers began experiencing outages. The disruption was significant enough that two separate customers independently reported to media that their services had been offline since that time. A critical point of frustration for these clients was an initial and complete lack of communication from Seacom regarding the nature or cause of the outage. One customer explicitly stated they had received no news or updates from the company through any channel, including its Twitter account, for the entire duration of the outage from Wednesday morning through to Thursday. This communication gap forced customers to exhaust all available avenues to obtain information, including attempting to contact senior executives directly. Reports indicated that Seacom’s Chief Operating Officer was unavailable and the head of customer operations was not answering his phone. Furthermore, other customer service agents were not responding to messages sent via WhatsApp, leaving clients entirely in the dark about the status of their services and the reason for the disruption.

It was only after external media inquiries were made that Seacom formally acknowledged the situation. Following contact from MyBroadband, the company issued an official statement confirming it was dealing with a "cyber security incident." This public confirmation came after customers had already been without service and without information for a period exceeding a full day. In its statement, Seacom moved to clarify the scope of the event, asserting that the incident had been contained specifically within its hosting environment. The company emphasized that the impact was limited to a small server environment and only affected a small number of customers. This delineation was important for Seacom to communicate that its core network and primary business offerings remained untouched by the attack.

To address the concerns of its broader client base, Seacom provided specific assurances that its most prominent business offerings were operational. The company stated unequivocally that its business and wholesale connectivity services were unaffected by the incident and remained stable. This was intended to distinguish between the targeted hosting services and the wider connectivity infrastructure, reassuring the majority of its customers that their services were running as normal. Furthermore, Seacom provided an initial assessment regarding data security, stating that its investigation suggested no customer data had been compromised. This early finding was a key part of their communication to mitigate concerns about potential data breaches resulting from the attack.

In terms of its technical response, Seacom reported that its IT and Security teams immediately activated the company's business continuity plan upon detection of the incident. The implementation of this plan was described as a swift and structured reaction to the threat. The company characterized its containment efforts as successful and timely, stating that the situation was "contained timeously." Following the initial containment, Seacom indicated that any developments were being closely monitored by its security teams, who were engaged in proactive monitoring of all systems on the network to mitigate further threats and respond to any new incidents. This ongoing vigilance was part of the standard protocol to prevent escalation or additional security breaches.

The recovery process was described as structured and deliberate, focused on ensuring systems were fully and securely restored. Seacom communicated that it was undergoing this process methodically to guarantee the integrity of its systems before bringing them back online. Throughout this period, the company stated that its customers and staff remained its top priority. As part of this commitment, Seacom claimed that all affected customers had been personally notified and were being kept abreast of recovery plans. This assertion, however, stood in direct contrast to the experience reported by one affected customer, who stated that Seacom did not provide them with any information until late on Thursday afternoon, long after the outage began and only after media had begun inquiring about the situation.

The impact on the affected customers was severe, primarily manifesting as a prolonged and unexplained service outage. For these businesses, the loss of hosting services meant critical online operations were halted from Wednesday morning onwards. The absence of any communication compounded the problem, as customers were unable to determine whether the issue was a simple technical fault, a major cyber attack, or something else entirely. This lack of information prevented them from implementing their own contingency plans or providing accurate updates to their own stakeholders. The fact that senior leadership was unreachable during this critical period added to the frustration and sense of helplessness experienced by the clients.

Seacom's public statements focused on the technical containment and the limited scope of the attack, but the incident also highlighted a significant crisis communication failure. The company's claim of having personally notified all affected customers was directly challenged by firsthand accounts from those same customers, who reported a total information blackout until external pressure was applied. This discrepancy points to a potential gap between the company's intended response protocol and the practical execution of customer communications during the initial stages of the crisis. The delay in public acknowledgment also meant that many customers learned of the cyber attack through media reports rather than directly from their service provider.

The technical aftermath involved a structured recovery process where Seacom worked to fully restore the systems within its hosting environment. The company’s emphasis on a methodical restoration suggests a careful approach to ensure that systems were not only brought back online but were also secure and free from any lingering compromises before being returned to production use. This process is typical in the wake of a cyber incident to prevent re-infection and to ensure the stability of the restored services. The company's commitment to proactive monitoring continued throughout this period to guard against any follow-up attacks or attempts to exploit the recovery phase.

In summary, the Seacom cyber incident that began on May 10, 2023, was a targeted attack on its hosting environment that caused service outages for a subset of business customers. The company’s technical response involved the immediate activation of its business continuity plan, which it reported led to the timely containment of the incident. Its investigation found no evidence of customer data compromise. However, the event was also marked by significant communication issues, with affected customers reporting a lack of updates from the company for over a day, contradicting Seacom’s official statements about customer engagement. The core network and connectivity services were confirmed to be unaffected, limiting the overall business impact to a specific segment of its hosting clients. The recovery was managed through a structured process aimed at fully restoring systems securely.