Written by Andrew Kariuki
A court case in which Safaricom PLC sought to block the sale and transfer of stolen personal data belonging to more than 11.5 million subscribers has failed to reach a settlement.
Court filings reveal that the data breach allegedly involved two former senior managers of the telecommunications giant, accused of accessing and sharing confidential customer information with a businessman identified as Benedict Kabugi.
The stolen data reportedly included names, phone numbers, birth dates, ID and passport numbers, as well as gambling records and subscribers’ location details.
According to investigators, the scheme began when the former managers developed an algorithm designed to analyse betting habits among Safaricom users.
The program allegedly collected sensitive details of more than 11.5 million subscribers. This data was later moved from Safaricom’s internal servers to several Google drives that were heavily encrypted with passwords, making retrieval efforts difficult for investigators.
The information was allegedly intended for sale to a leading sports betting company seeking insights into user behaviour and gambling patterns.
Safaricom, in its petition, argued that the breach represented a serious violation of customer privacy and an offence under the Data Protection Act. The company sought a court order to prevent the dissemination or commercial use of the data.
Despite efforts to reach an out-of-court agreement, the case has now stalled. The court has been informed that negotiations between the parties broke down, paving the way for a full hearing.
The matter remains under active investigation as authorities attempt to trace how the data was accessed and whether additional employees or third parties were involved.
The Office of the Data Protection Commissioner has also been briefed on the case, which could become one of Kenya’s largest ever privacy breaches.
