The Moldovan firm that leaked sensitive business dealings of prominent Kenyans has deleted the information from its site as the data protection watchdog investigates the breach, exposing the State companies' registrar to fines and compensation.
B2bhint, a Moldovan business intelligence firm, retracted all information it had stealthily accessed from State-owned Business Registration Service (BRS) of significant shareholders in registered firms—including the families of President William Ruto and first President Jomo Kenyatta, and several other prominent investors.
The firm told the Business Daily on Tuesday that it opted to bring down the leaked data to avoid legal liability, adding that neither the BRS nor any law enforcement agency from Kenya had reached out to it in the aftermath of the breach.
The Office of the Data Protection Commissioner (ODPC) officially opened an investigation to establish whether BRS failed to protect the sensitive personal information, a breach that will see the State-owned firm fined and ordered to compensate the aggrieved investors.
On Monday, B2bhint said it was awaiting being contacted by BRS—which hosts the companies’ data—before addressing the leak, arguing that weak cybersecurity standards allowed it easy access to the secret information.
This has sparked talk of ransom payment to the firm that was selling the secret data of significant shareholders in over two million firms, including residential addresses, email and phone numbers as well names of beneficial owners for as much as Sh24 million for a package and as little as $0.015 (two shillings) for telephone numbers.
“We have decided to temporarily remove all Kenyan company data from our website while we conduct further research to determine what information is permissible to publish,” said the Moldovan firm in an email response.
“We believe that at a minimum, company name, status, and company registration number are likely allowed, but we want to be certain before we republish any data.”
It is not yet clear if or when the firm will return the Kenyan data to its website.
However, it still has details of companies from several other jurisdictions, including the UK, Dubai, Europe and several States in the US.
“We’ve opened an investigation into the alleged breach. The probe might take some time, but ultimately, we’ll publish a determination which will say who is liable and whether or not affected parties will need to be compensated,” a spokesperson from the ODPC said.
According to the Data Protection Act of 2019, the BRS would pay a penalty of up to Sh5 million should the watchdog investigation reveal that it failed to protect the privacy and security of investors’ data.
However, it risks a heavier financial burden from the wealthy and powerful investors whose data was breached.
The Act reckons that people whose privacy may have been unnecessarily violated by the breach are free to seek compensation, and may be awarded damages determined by the data commissioner.
BRS Director-General Kenneth Gathuma did not respond to requests for comment.
Outside Kenya, similar breaches have hit firms hard.
Telcoms giant AT&T agreed to pay $13 million (Sh1.67 billion) to resolve an investigation over a data breach of a cloud vendor in January 2023 that impacted 8.9 million AT&T wireless customers whose data was exposed.
B2bhint denied hacking the data and blamed a weak cybersecurity standard for making it access sensitive information without much effort.
The data breach is said to have occurred on the night of Friday last week with personal data pushed on the site known as B2bhint.com for sale including beneficial owners of firms—which was being sold for a monthly subscription of $350 (Sh45,226).
Kenyan authorities have since Saturday scrambled to contain the damage and investigate the incident that allowed access to sensitive data with just a click of a button.
The far-reaching leak gave the public a sneak preview into the multi-billion shilling estates controlled by some of Kenya’s prominent families.
It also revealed information on beneficial owners of various companies, which has largely been a preserve of law enforcement agencies—except for investors that have done business with the government.