Cyberattacks Expose Cracks In Digital Security

In the past few years, Nepal has experienced a wave of cyberattacks. Such attacks have targeted government websites, public infrastructure and the private data of thousands of citizens, showing the nation's serious cybersecurity gaps. The fact that these attacks occur so often shows a dangerous trend that puts not only data privacy at risk but also people’s trust in how the government runs digital services. In July 2025, the Ministry of Education’s website was compromised, making it one of the most concerning cyber incidents. Hackers were able to enter internal systems without authorisation and release private data belonging to thousands of workers and students. Names, phone numbers, emails, citizenship numbers, and even comprehensive academic records were stolen. 

The way the hackers circulated the information, sharing it on Telegram channels and dark web forums in exchange for cryptocurrency, is what makes this breach especially worrisome. Despite the severity of this breach, the official response was minimal at best. There was no clear plan for damage control or public disclosure when the website was temporarily taken offline with the unclear justification of “maintenance.” Earlier in March, there was another major attack on the immigration portal at Kathmandu’s Tribhuvan International Airport. This portal, important for checking visas on arrival and registering tourists, suffered a Distributed Denial of Service (DDoS) attack that sent so much junk traffic to the portal that it couldn’t be used for hours. 

Easy prey 

This problem made travellers wait in long lines, slowed down processing at the border, and caused a lot of chaos at the airport. After further investigations, it was found that the immigration portal didn’t even have basic cybersecurity protections like a proper firewall or rate-limiting features. These are basic tools that can protect any system that is open to the public from this kind of attack. The event showed how shocking it is that some important government digital services are still not well protected. Unfortunately, these are not the only incidents. Throughout 2025, multiple government websites have faced similar disruptions and breaches. 

The Office of the Prime Minister’s website reportedly went offline multiple times following suspected intrusion attempts, while various municipality websites were defaced with pro-hacktivist slogans. Even more troubling, systems for citizenship applications were found to be exposing unencrypted data through unsecured API endpoints, putting citizens’ sensitive information at risk. These repeated attacks show that government agencies are not working together to improve security and that they are using old technology and not paying attention to their own systems. 

So why are government websites such easy prey for hackers? There are several reasons, but they can largely be reduced to maintenance, lack of security practice and weak protocols. Many of these websites were created years ago and have been left behind with out-of-date CMS frameworks, plug-ins that are unsupported, and with default credentials still in use. To make matters worse, much of the hosting and development work is outsourced to third-party contractors who often lack the necessary cybersecurity training to adhere to best practices. This combination creates a perfect storm where a simple SQL injection or misconfigured firewall can lead to catastrophic breaches.

Cybersecurity is not simply about throwing money at antivirus programmes or installing firewalls; it’s a cultural change within our public institutions. Updates, secure coding, continuous assessment of access management/access control, and encrypting data are only part of the need. Sadly, this culture of cybersecurity awareness is largely absent in Nepal’s government departments. Although Nepal drafted the National Cyber Security Policy in 2023 with commendable intentions, the reality is far from ideal. There is no central authority with the power or resources to enforce cybersecurity standards across ministries. Budgets allocated to cybersecurity are limited and frequently slashed, reflecting a troubling perception that cybersecurity is a non-essential expense rather than a core national security priority.

Training is another pain point. Public servants who work with sensitive data often receive little to no education regarding cybersecurity. By using weak passwords, failing to properly secure network drives, and lacking digital hygiene, individuals create an opportunity for an attacker to exploit those gaps. Some well-known hacker groups targeting Nepal include DragonForce and some LulzSec clone groups, which are looking for internet fame by hacking poorly protected systems. The chaos is escalated by beginner hackers from Nepal, or script kiddies on Telegram, who have tools ranging from SQLmap, Hydra, and Metasploit.

Governance challenge

The broader issue here is that cybersecurity in Nepal is not just a technical problem but a governance challenge. As digital services become critical to everyday life — from passport renewals to citizenship applications, securing these systems must become a national priority. This means regular security audits for all government digital services, recruiting trained cybersecurity professionals into public sector roles, and establishing clear protocols for breach disclosure and user notification. Public awareness campaigns on digital safety and literacy would also help build resilience among citizens. Most importantly, Nepal needs a centralised agency empowered to monitor, guide, and enforce cybersecurity standards across all government entities.

At present, the country is at least trying to catch up. Ignoring these warning bells will only further future breaches and make it much worse both digitally and socially. Any breach will never be merely a stolen set of information; there will always be reputational risk. Breaches can erode public trust, obliterate vital services, and create a political crisis. Nepal deserves better protection for its digital infrastructure. If Nepal wants to thrive in this digital era, securing its cyber borders must be taken as seriously as its physical ones. The time for half-measures is over. Cybersecurity is a collective responsibility that demands commitment at every level. The government, public servants, and citizens all have a role to play in building a safer, more secure digital future. Because when it comes to protecting our nation’s digital identity, there’s no room for error.

(Dhungana is pursuing B.Tech in CSE-Cybersecurity at Jain University, India)