Safaricom’s courtroom tango over the theft of personal data belonging to 11.5 million subscribers has officially lost its out-of-court footing. The settlement talks have collapsed, and the matter is now headed for a full-blown trial.
Here is the tea: two of the telco’s former senior managers are accused of pulling off a high-stakes data heist, allegedly transferring subscribers’ sensitive information — including names, ID numbers, phone contacts, betting histories, and even geolocation data — from Safaricom’s servers to Google Drives and personal laptops. The data was reportedly being peddled to a leading sports betting firm through one Benedict Kabugi, who is now a central figure in this data scandal.
Safaricom’s civil suit seeks to block the sale or transfer of the stolen data and to have the culprits declared liable for any regulatory penalties should the telco be sanctioned by the Office of the Data Protection Commissioner (ODPC). The firm says the leak exposes it to “numerous lawsuits” and reputational harm.
But the plot thickens: Kabugi has filed a constitutional petition, accusing Safaricom of violating the Data Protection Act by failing to prevent the breach. He claims to be a whistleblower, though Safaricom insists he is just trying to extort KSh100 million to reveal the source of the stolen data. In true cyber-thriller fashion, the company says it can’t even access the compromised Google Drive or trace two of the laptops containing the trove.
The legal brew: This case is a wake-up call for data controllers and processors — particularly those sitting on vast consumer datasets. It underscores how insider threats remain one of the most potent risks to data integrity and how corporate accountability under the Data Protection Act is no longer theoretical. Even when a breach originates from rogue employees, organisations can still be held liable for inadequate safeguards.
Globally, companies like British Airways, Equifax, and Uber have faced multimillion-dollar fines for similar lapses. The ODPC is flexing its enforcement muscle locally, and this case could test how far Kenya’s data protection regime can stretch when a corporate giant becomes both a victim and a potential violator.
So, while Safaricom is fighting to block the sale of its stolen data, the bigger question brewing is: can a data controller truly claim innocence when the breach begins from within?