Safaricom, Kenya's leading telecommunications company that also runs mobile money service M-PESA, is being sued for allegedly leaking the personal data of 11,5 million customers. The lawsuit was filed earlier in June 2019 in a Kenyan court after a database containing the personal details of customers, their sports betting history and some biometric data has been making the rounds on the Internet.

The lawsuit is reported to have been filed by Benedict Kabugi, a Safaricom customer, who was apparently approached by someone in possession of the database.

“The data, which the petitioner herein viewed personally, was specific to gamblers who had used their Safaricom mobile numbers to gamble on various betting platforms registered in Kenya,” reads part of Kabugi's filed lawsuit.

Data breaches in Kenya

The breach and leak of customers personal data is not the first of its kind in Kenya. During October 2016 a hacker from Burundi found a bug on KCB Group's banking app, one of the largest banks in the East African country, that lead to the leaking of customers personal details. That list, which iAfrikan saw, had just over 500,000 customer details on it including mobile numbers. To date, given that Kenya had no data protection laws in place, no known legal action was taken against the bank.

Before the KCB leak, during July 2012 a group calling themselves Prodect reported that they had hacked one of the Kenya Broadcasting Corporation (KBC) servers and proceeded to leak publicly on the Internet, a database of what appeared to be the KBC's customers that included, among others the users' plain text passwords along with other customer details such as payment methods used. What is surprising about the KBC leak is that to this day, at the time of publishing, that leaked database is still available on the Internet.

Data privacy and protection

Currently, Kenya does not have any specific legislation that speaks to data protection. In 2015 a Data Protection Bill was tabled in parliament but it is yet to be passed. The Bill, similar to South Africa's Protection of Personal Information Act (POPIA) and the European Union's General Data Protection Regulation, covers the collection, retrieval, processing, storing, use and disclosure of Kenyans personal data. If in place it would have possibly provided some guidelines and what punishment is due in such a case as the alleged Safaricom leak.

This is why Kabugi has taken to court to claim damages against Safaricom for exposing customers' data. The main argument in Kabugi's lawsuit is that Article 31 of Kenya's constitution protects the privacy of communications.

The leaked data apparently contains full names, mobile phone numbers, mobile device types, location data, gender, age, identity numbers, passport numbers as well as their transactions on sports bets.

We have contacted Safaricom to get their comment on this and we will update as soon as we have feedback.

Share this article via: