What began as an alleged insider theft of customer information at Safaricom has evolved into one of the most consequential data privacy scandals in Kenya’s history, exposing weaknesses in corporate data governance, raising questions about the commercial trade in personal data, and placing businessman Benedict Kabugi at the centre of a years-long legal and criminal battle.
At the heart of the case is the alleged unlawful extraction and commercial exploitation of personal information belonging to more than 11.5 million Safaricom subscribers. Court records indicate that the data included names, phone numbers, identity card and passport details, location information, handset records, M-Pesa transaction histories, and betting activity linked to millions of customers.
Safaricom alleges that two former senior managers worked with Kabugi to harvest the information from its systems between 2018 and 2019. According to court filings, the data was transferred to password-protected cloud storage accounts before being copied onto personal computers, some of which have never been recovered. The telecommunications giant maintains that the information was assembled for sale to entities operating within Kenya’s betting industry, where detailed customer profiles carry significant commercial value.
The case has attracted extraordinary attention because of the sheer scale of the alleged breach. Investigators estimate that the database contained information relating to nearly a quarter of Safaricom’s customer base at the time, making it one of the largest alleged data leaks ever to emerge from a Kenyan corporation.
Safaricom has consistently portrayed Kabugi not as a whistleblower but as a participant in the scheme who later sought to profit from the fallout. The company claims that after efforts to commercialize the data failed, Kabugi demanded Sh100 million in exchange for revealing the source of the stolen information and withholding further disclosures.
Those allegations resulted in criminal charges related to demanding money with menaces. Kabugi has denied wrongdoing and insists he exposed serious failures within Safaricom’s data protection systems.
His defence has centred on the argument that he brought the breach to light and forced accountability from one of East Africa’s most powerful technology companies. Safaricom, however, maintains that his actions were motivated by personal financial interests rather than public concern.
The dispute took a dramatic turn in May 2026 when the High Court found Safaricom liable for violating the constitutional rights of subscribers whose information had been exposed.
In a landmark judgment, the court ruled that Safaricom could not escape responsibility by attributing the breach solely to rogue employees. The court found that subscriber information, including financial records, betting-related data, device identifiers and location information, had been unlawfully disseminated beyond the company’s systems without consent.
Eleven affected subscribers were awarded damages together with costs and interest, establishing a significant precedent for data privacy litigation in Kenya.
The ruling also reinforced claims that the stolen information had circulated among external commercial actors linked to the wider betting ecosystem.
Court records referenced in the proceedings pointed to evidence suggesting that sensitive subscriber information was shared beyond Safaricom’s internal systems, raising fresh questions about how customer data may have been acquired, exchanged and exploited for commercial gain.
The findings have intensified scrutiny of the relationship between customer data, mobile money activity and Kenya’s lucrative betting sector, where detailed behavioural information can provide a substantial competitive advantage.
For years, privacy advocates have warned that databases containing gambling histories, spending patterns, transaction records and geolocation information represent valuable commercial assets capable of driving highly targeted marketing campaigns.
The Safaricom case has transformed those concerns from theoretical risks into a real-world legal and regulatory challenge.
Investigators examining the matter have reportedly reviewed digital communications, financial records and forensic evidence that suggest the stolen information attracted interest from individuals and businesses seeking detailed insights into consumer behaviour.
The controversy has therefore expanded beyond Safaricom itself, drawing attention to the broader marketplace for personal data and the incentives that fuel demand for illegally acquired customer information.
Legal experts say the implications could be far-reaching. Beyond the damages already awarded, Safaricom faces the prospect of additional claims from affected subscribers and heightened scrutiny from regulators charged with enforcing Kenya’s data protection laws.
The scandal has also highlighted the growing economic value of personal information in an increasingly digital society. The leaked database allegedly contained a detailed portrait of customer behaviour, combining financial transactions, betting activity, communication patterns and personal identification data in a manner that investigators believe could have generated enormous commercial returns.
For millions of subscribers, the controversy represents a profound breach of trust.
Customers who relied on Safaricom for communication, mobile banking and digital transactions now face the possibility that some of their most sensitive personal information circulated far beyond the company’s control.
Although Safaricom says it has strengthened internal security controls and compliance measures since the breach emerged, concerns remain about unrecovered devices and the possibility that portions of the database continue to exist outside official channels.
The affair has also complicated Kabugi’s public image.
To Safaricom and prosecutors, he is an alleged participant in a scheme to profit from stolen customer information who later attempted to leverage the breach for financial gain from both the telecommunications giant and entities operating within the betting sector.
To his supporters, he remains the man who exposed one of the largest privacy failures in Kenyan corporate history and forced a national conversation about data protection and accountability.
As civil and criminal proceedings continue, the courts will ultimately determine where responsibility lies.
What is already clear, however, is that the scandal has become a defining test of Kenya’s data protection regime. It has exposed vulnerabilities at the intersection of telecommunications, mobile money and digital commerce while raising uncomfortable questions about how millions of Kenyans’ personal information may have been collected, shared and monetized without their knowledge.
For Safaricom, the challenge extends beyond legal liability and financial penalties. Rebuilding public confidence may prove far more difficult.
In an economy where data has become one of the most valuable commodities, trust remains the ultimate currency. Once lost, it is often the hardest asset to recover.
