Safaricom has failed to settle a suit in which it sought to block the sale or transfer of stolen personal data belonging to 11.5 million subscribers.
Two former managers at Safaricom allegedly accessed and shared data, including customer names, phone numbers, birth dates, subscribers' location, gambling records, passport and ID numbers with a businessman, Benedict Kabugi, for sale to a top sports betting firm.
The data leak triggered three cases, with Safaricom having sought time to settle one of the civil suits outside court in exchange for the three withdrawing counter suits and promising not to transfer the data trove.
But when the parties appeared before High Court deputy registrar, Sylvia Moturi, on October 8, they informed the court that they had not reached a settlement, paving the way for a full hearing of the matter.
Safaricom has named the two former senior managers and Mr Kabugi as key suspects over the leak and theft of personal data belonging to 11.5 million subscribers.
Court documents suggest the information was nearly sold to a sports betting company before the plot was uncovered.
The plot allegedly started with the former senior managers creating an algorithm that would collate and analyse data based on subscribers' betting patterns.
They ended up with personal data of 11.5 million subscribers that was transferred from Safaricom servers to Google drives that were locked with heavy passwords. Safaricom has been unable to access the drives.
The data from the drives was later transferred to three personal laptops, and the Directorate of Criminal Investigations (DCI) and Safaricom have been unable to trace two of the personal computers, upping the stakes in the race to stop their sale and transfer.
Personal information has proved highly valuable to hackers in recent years as it can be used to conduct identity fraud or to target individuals with online scams.
Telecoms companies, which hold a wealth of information on millions of people, have become a common target for such attacks.
Safaricom has raised the alarm that the data could be transferred to more third parties, exposing the telecoms firm to legal suits and regulatory sanctions and penalties.
This prompted the telecoms operator to seek the court’s protection.
“The plaintiff has not been able to secure the personal laptops owned by the 2nd and 3rd defendants (former Safaricom managers), which then allows them to disseminate the subscriber data,” said Safaricom.
“They will disclose the confidential information of millions of subscribers, thus exposing Safaricom to numerous lawsuits.”
The 11.5 million subscribers, who have previously used their accounts for betting, account for 23 percent of Safaricom's customer base.
The firm filed a suit in the High Court seeking a permanent injunction barring the managers and Mr Kabugi from sharing or selling the data.
It sought to have the court declare the three liable to regulatory penalties and compensation should the company be punished for failing to protect customer details held in its servers.
Authorities have started to heavily penalise companies that have failed to protect customer details held in their servers.
Uber, Target, T-Mobile, Equifax, British Airways and Capital One are among the businesses that have been hit with large fines over data breaches and, in some cases, poor handling and communication of the issue.
In Kenya, the Office of the Data Protection Commission has recently fined scores of firms for data leaks.
Fake whistleblower
Mr Kabugi also filed a separate suit in the constitutional court seeking a declaration that Safaricom breached the Data Protection Act in failing to prevent the information leak.
He wants Safaricom to pay him Sh100 million and Sh10 million for each of the 11.5 million subscribers who have joined the data theft suit.
But Safaricom has termed him a fake whistleblower, arguing he leaned on the telecoms firm when they struggled to sell the data to the sports betting firm.
“The third defendant was in fact not a whistleblower but just another person out to coerce and force Safaricom to pay him sh100 million to disclose the identity of the source of the confidential data that was in his possession,” Safaricom told the court.
Safaricom accuses the former employees of breaching their contractual and statutory duty.
It says the two employees abused their access privileges to harvest data far beyond their authorisation.
In the constitutional petition, Mr Kabugi alleges that the stolen data contained crucial personal information of mobile users, such as the full names of all subscribers who participate in gambling, the subscribers’ mobile numbers, gender and nationality of the subscribers.
Also available were details of various betting platforms of which the subscribers may have registered, gambling transaction histories, identity numbers, passport numbers, military identity card numbers, certificate of incorporation numbers, and alien identity card numbers of the subscribers.
He further claims that the data had information on the total amounts expended towards gambling by each of the subscribers, mobile handset name and manufacturer, indicator on the network used (2G/3G/4G), specification on whether dual SIM or single SIM and the location of the subscriber, including area, region and country.
He wants Safaricom cited for breach of privacy and punished for poor safeguards in handling personal data. Upon learning about the breach, Safaricom engaged the DCI, who uncovered WhatsApp conversations detailing the scheme.
“It is through those WhatsApp texts that the plaintiff came to learn of the existence of a Google Drive,” says Safaricom.
One of the managers implicated in the scandal had also filed a petition at the High Court challenging the manner in which the WhatsApp chats were obtained by the DCI, arguing that the texts were manipulated.
At the time of filing the court case, Safaricom said it had not been able to obtain access to the Google Drive containing the data, nor had it been able to remotely access and delete the subscriber data contained in the cloud storage.
“The subscriber data contained in the Google Drive could be transferred, sold or disseminated to other third parties,” says Safaricom.
The case returns to court on October 30, 2025, for a pretrial to confirm if parties have filed all their pleadings. Besides the civil and constitutional cases, the two former managers and Mr Kabugi are facing a criminal matter, in a case yet to be concluded.
