INTRODUCTION: A CASE THAT SHOOK KENYA’S DIGITAL ECONOMY
Safaricom PLC, Kenya’s largest telecommunications company and the backbone of mobile money through M-Pesa, is facing one of the most serious legal and reputational challenges in its history.
A landmark High Court case has revealed allegations that over 11.5 million subscribers’ personal data may have been exposed, accessed, and shared without consent, triggering constitutional questions about privacy, corporate accountability, and digital surveillance in Kenya.
What makes this case extraordinary is that it is not based on speculation or social media rumours. It is rooted in:
- High Court petitions
- Judicial findings and rulings
- Internal communication evidence presented in court
- Compensation orders issued to affected subscribers
The case has now become a defining moment in Kenya’s digital rights landscape.
THE CORE OF THE CASE: WHAT HAPPENED TO 11.5 MILLION USERS?
The petitioners in the case argue that between 2018 and 2019, Safaricom failed to protect sensitive subscriber information, leading to a large-scale internal breach involving rogue access to company systems.
According to court documents, the alleged compromised data included:
- Full names of subscribers
- National ID numbers
- Phone numbers
- Location data
- M-Pesa transaction records
- Betting and gambling activity logs
The court heard allegations that internal actors within Safaricom’s systems exploited privileged access to extract this data and share it externally.
Reports presented in court also suggest that the data may have been transferred through:
- Internal Safaricom servers
- Google Drive accounts
- Personal laptops of individuals involved in the scheme
This created what petitioners describe as a systemic and prolonged breach rather than an isolated incident.
HIGH COURT FINDINGS: PRIVACY RIGHTS WERE VIOLATED
In a major ruling delivered by the High Court, Justice Bahati Mwamuye found that Safaricom violated key constitutional rights of the petitioners.
The court specifically cited violations of:
- Article 28 – Human dignity
- Article 31 – Right to privacy
- Article 46 – Consumer protection
The judge ruled that Safaricom, as a data controller, had a legal obligation to safeguard subscriber information but failed to implement adequate protections.
Compensation Ordered
The court ordered:
- KSh 900,000 compensation for each of the 11 petitioners
- Total payout: approximately KSh 9.9 million
- Additional interest and legal costs
The court also emphasised that constitutional damages were justified due to the seriousness of the breach and the risk posed to millions of subscribers.
SCALE OF THE ALLEGED BREACH: WHY THIS CASE IS DIFFERENT
What makes this case particularly significant is its alleged scale.
Court filings and investigative reporting suggest:
- Up to 11.5 million subscribers potentially affected
- Long-term exposure spanning multiple years
- Data potentially circulated across multiple unauthorized channels
- Evidence of repeated internal access patterns
Even though only 11 petitioners received compensation in the judgment, the court acknowledged that the underlying dataset could affect millions of users.
This has raised fears that:
- The true scale may be larger than the case itself
- Most affected users are unaware they were impacted
- The breach may have gone undetected for years
HOW THE BREACH ALLEGEDLY OCCURRED
Court documents describe a disturbing pattern of internal system misuse.
Rogue employee access
Employees with privileged system access allegedly extracted subscriber data without authorization.
External transfer of data
The data is alleged to have been transferred to:
- Google Drive accounts
- External devices
- Third-party actors
Commercial exploitation
One of the most serious allegations is that subscriber data was shared with betting companies for commercial gain.
Named entities referenced in court materials include major betting platforms operating in Kenya.
Betting and M-Pesa linkages
Some of the data allegedly included betting behavior tied to M-Pesa transactions, raising concerns about financial profiling without consent.
WHY BETTING COMPANIES ARE CENTRAL TO THE CASE
One of the most controversial aspects of the case is the alleged involvement of betting firms.
According to court submissions:
- Subscriber data may have been used for targeted gambling marketing
- Betting patterns were allegedly analyzed and shared
- Users may have been profiled based on financial behavior
If fully proven, this raises serious questions about:
- Data commercialization ethics
- Consent for financial profiling
- Cross-industry data sharing
SAFARICOM’S DEFENSE IN COURT
Safaricom has strongly denied liability for the alleged systemic breach.
The company argues that:
- The alleged actions were committed by rogue employees acting outside their job scope
- It should not be held liable for criminal acts of individuals
- There is insufficient proof that subscriber data was broadly compromised
- The case involves multiple overlapping lawsuits, making it procedurally complex
Safaricom also challenged the credibility of some evidence presented, claiming that parts of the petition relied on disputed documents and testimony from individuals facing criminal charges.
COURT’S POSITION: THE BURDEN OF DATA PROTECTION
Despite Safaricom’s defence, the court emphasised a key principle:
Once a prima facie case of systemic data breach is established, the burden shifts to the data controller to prove system integrity.
This means Safaricom was required to demonstrate the following:
- How its systems prevented unauthorized access
- Why internal misuse was not systemic
- How subscriber data remained protected
The court found that this burden was not fully discharged.
BROADER IMPACT: WHY THIS CASE MATTERS FOR EVERY KENYAN
This case is not just about Safaricom—it represents a turning point in Kenya’s digital rights landscape.
Strengthening Data Protection Law
Kenya’s Data Protection Act is now being actively tested in court for the first time at scale.
M-Pesa trust concerns
Since Safaricom operates M-Pesa, concerns extend into:
- Financial transactions
- Loan scoring systems (Fuliza, M-Shwari)
- Digital credit profiling
Algorithmic and surveillance fears
There is growing concern that user data may be:
- Analyzed
- Profiled
- Monetized
without clear user awareness.
Legal precedent for class actions
This case may open the door to:
- Larger class action lawsuits
- Higher compensation claims
- Stricter corporate accountability
PUBLIC REACTION AND DIGITAL BACKLASH
The case has triggered widespread discussion online, with many Kenyans expressing:
- Concern about unexplained targeted ads
- Fear of financial data exposure
- Distrust in digital privacy systems
Social media discussions highlight a growing sentiment that large tech and telecom companies may have too much access to personal data without sufficient transparency.
WHAT HAPPENS NEXT?
The High Court is expected to continue handling related petitions and appeals.
Key possible outcomes include the following:
- Expansion of the case into a class action
- Higher compensation claims from additional petitioners
- Stricter regulatory enforcement by Kenya’s data protection authorities
- Possible criminal investigations against individuals involved
CONCLUSION: A WAKE-UP CALL FOR DIGITAL KENYA
The Safaricom data breach case represents more than a corporate scandal—it is a defining moment for digital privacy in Kenya.
At its core, the case raises urgent questions:
- Who truly owns digital data in Kenya?
- How safe is subscriber information in large telecom systems?
- Can corporations be fully trusted with sensitive financial and personal data?
As courts continue to issue rulings, one thing is clear: Kenya’s digital economy is entering a new era of accountability.
And Safaricom, the country’s most powerful telecom company, is at the center of it.
