Two men were Thursday charged in court with hacking into Safaricom #ticker:SCOM network and having links to international terrorists.
The breach saw a mobile phone subscriber lose Sh260,000.
Robert Nsale, a Ugandan national, and Morgan Kamande were first arrested on March 31 after Safaricom reported suspicious behaviour on its network.
They two suspects appeared Chief Magistrate Francis Andayi.
“A report was booked at Parliament Police Station vide 0B 18/10/3/2017 by one Erick Mugo, senior manager at the Safaricom investigation department for an offence of unauthorised access to their protected systems,” an affidavit by the police reads.
After the telecom firm reported the case to the police, the police carried out investigation and the hack was initially associated with a Safaricom staff account.
However, further investigations associated the breach with a phone number registered to one Edward Waweru.
Court documents show that the suspects were found in possession of the SIM card used in the hacking and a laptop with “the unauthorised access information”.
Although the two suspects were initially released on a bond, they were later arrested again.
This is after investigations by the Anti-Terrorism Police Unit showed they could be involved in terror-related hacking activities with a larger criminal network affiliated to ISIS and ISIL cyber caliphate in the country.
Police said that they are yet to track down the duo’s associates.
The owner of the SIM card used in the attempt to hack Safaricom, Mr Waweru, has also not been found nor has the agent who registered the phone number.
Arguing that releasing the suspects could jeopardise the case, the police therefore requested more time to conclude their investigations.
The suspects have been granted 15 days during which the suspects will remain in custody.
In a separate statement, Safaricom said that the hack had seen one customer lose “Sh266,000 through an unauthorised SIM swap”.
The money was later refunded.
The company said that its risk management unit caught the intrusion before it could escalate into something bigger.
“I wish to assure our customers that all their data is safe and we have no evidence of any money being removed from the system,” said Safaricom chief executive, Mr Bob Collymore.
Although the constitution guarantees the privacy and protection of customer data, Kenya has no data protection law outlining what companies can and cannot do with this information.
However, Safaricom said that it adheres to international standards on information security and data management.
The company investigated 27 cases of fraud in the 2016 financial year, two of which ended up in court.
Increased technological access has been a double-edged sword in Kenya as incidences of cybercrime have been on the rise.
A 28-year old man, Alex Mutungi Mutuku, was on March 7 arrested and charged with hacking the Kenya Revenue Authority’s (KRA’s) systems, leading to a loss of Sh4 billion.
Internet security firm Serianu estimates that Kenyan businesses lost about Sh18.1 billion to cybercrime last year.
Audit firm Deloitte recently predicted that losses to cybercrime would peak this year.