A little-known Moldovan firm exploited a bug in the IT system of State-owned Business Registration Service (BRS) to access sensitive data of significant shareholders in registered firms—including President William Ruto, the Kenyatta family, and several other prominent investors.
B2bhint, a Moldovan business intelligence firm, was on Monday selling the trove of secret data of significant shareholders in over two million firms, including data on residential addresses, email and phone numbers as well names of beneficial owners for as much as Sh24 million for a package and as little as $0.015 (two shillings) for telephone numbers.
The firm denied hacking the BRS system and blamed a weak cybersecurity standard for allowing it to access sensitive information without much effort.
The data breach at BRS revealed the business holdings of some of the country’s most powerful figures—including President Ruto, the Kenyatta family, and several other prominent investors including former prime minister Raila Odinga.
For years, much of this information remained secret.
The data breach is said to have occurred on the night of Friday last week with personal data pushed on the site known as B2bhint.com for sale including beneficial owners of firms—which was being sold for a monthly subscription of $350 (Sh45,226).
“BRS was not hacked. BRS’s website has a direct link where all company data is available free of charge, though we won’t share the specific link here for security reasons,” said a representative of B2bhint in an email response.
“We are still waiting for BRS to contact us via email so we can provide them with the direct link to remove it from their website. It is quite interesting why this link remains publicly accessible if the information is not meant to be public.”
The breach comes weeks after the lapse of the December 1 deadline that required registered companies to disclose the names, phone numbers, and residential addresses of owners who hold more than 10 percent stakes through secret accounts to BRS.
Kenyan authorities have since Saturday scrambled to contain the damage and investigate the incident that allowed partial access to data with just a click of a button.
The far-reaching leak gave the public a rare sneak preview into the multi-billion-shilling estates controlled by some of Kenya’s prominent families.
It also revealed information on beneficial owners of various companies, which has largely been a preserve of law enforcement agencies—except for investors that have done business with the government.
Although President Ruto’s name did not feature in the search, those of his family members, including his wife and two children, were prominent.
Businesses linked to Ruto’s family members include familiar names such as the Weston Hotel and Koilel Farm where Mrs Chebet Rael Kimeto (Mrs Rachel Ruto), who is the First Lady, and his daughter Ms Chelagat Ruto (Charlene), were listed as directors.
The other company where the two are involved is Matiny Limited, where they are listed as shareholders. Matiny is also one of the shareholders of Weston Hotel.
Rachel and Chelagat are also listed as shareholders of Urban Groove, which deals in high-end apartments, and luxury short-stay accommodations, popularly known as Airbnb.
The First Lady is also into fisheries through Lake Jipe Fisheries, Kisima Fisheries and Taveta Fisheries. The President’s spouse is also a shareholder in Destiny Women Microfinance, Joyful Housing Union, Mama Doing Good and Blues and Holdings.
She is also a shareholder of Black Beauty, Malka Company and Talya.
Companies that Chelagat is involved as a director/shareholder include Golf Charlie Investments, FFL Ventures, Smachs Foundation, Marlen Limited, and Charlene Foundation.
Others are Swift Foot Limited, Lerasho LLP, Cabin Cabana and Honey Licious.
President Ruto’s son, George Kimutai Ruto, is a beneficial owner of Golf Charlie Investments Limited, which means he has more than 25 percent stake, though his name is not listed among the shareholders in the CR12.
He is also a director/shareholder of Golf Charlie and is listed as a partner of Nerami LLP (partner). He is a director/shareholder of TBT The Biashara Team Limited, X Fold Limited, and Seil Investment Limited.
The data breach also revealed the vastness of the Kenyattas’ empire, spanning property, dairy processing to hotels.
The family is connected to a chain of hotels under the umbrella of Heritage Hotels. The directors of Heritage Hotels include Muhoho Kenyatta, the older brother of retired President Uhuru Kenyatta. Their father was Kenya’s first president.
Muhoho is also a director of 14 other companies, including Brookside Africa, Ilara Dairy and Brookside Dairy Limited which are involved in diary processing.
He is also a director of Emken Investments, the holding company for the Kenyattas, Greenhut Investments, CBA Property Holdings, Northlands, Kipungani Lamu, Gleenlee Company, Sukarii Development, Loops DFS, Serengeti Investments and Gicheha Farms.
Major players in the Kenyatta empire include John Stuart Armitage, who has been helping the family to run their business for many years. He is also a shareholder/director of Enke Management.
He is also a shareholder/director of 19 other businesses linked to the Kenyattas, including NCBA Group, Brookside Group and Heritage.
The other major player in the Kenyatta empire is High Court advocate Jacob Ogechi Ombongi, who is the company secretary of Enke management
The family of Kenya’s first Vice-President Jaramogi Oginga Odinga has interests in logistics, energy, real estate and entertainment. The family is best known for stakes in East Africa Spectre and Spectre International, which manufacture cooking gas cylinders.
Their shareholders include the estate of Jaramogi, former Prime Minister Raila Odinga, Siaya Senator Oburu Oginga and the estate of Africa’s first barrister Argwings Kodhek. Ida Odinga, Raila’s wife, and Raila Odinga Junior are listed as directors.
Companies associated with the Odinga family include Lennox Development, Duma Investments, Newspoint, Adopo Capital, Kango Enterprises and Spectre International.
Others are Jahazi Development, Pan African Petroleum, Creative Hub, Wutho Holdings, and Be Energy.
Besides the normal shareholder information that BRS discloses at a fee, B2bhint was selling much more detailed data, including beneficial owners of companies.
It also provided a list of firms associated with a director or shareholder or firms affiliated to a targeted company under a single or view. For example, a search on Dr Ruto’s Weston Hotel provided details of the companies in which all its shareholders or directors are involved.
By Monday 4pm, the organisation had retracted all information on Kenyan companies’ shareholders, beneficial owners, and affiliated companies and the data was no longer accessible even by paying subscribers.
“We have asked our developers to remove all extended information and retain only the basic company data,” said B2bhint.
The full package of available data is fetching a premium of up to $186,433 (Sh24 million), including 812, 863 phone numbers; 832, 648 email addresses; 2, 091, 046 physical addresses and status of 2, 093, 194 firms.