The Office of the Office of the Data Protection Commissioner (ODPC) has ruled against Bolt Operations OU and Bolt Support Kenya Limited in a case involving unauthorized access to a driver’s account, ordering the company to pay KES 500,000 in compensation for violating data protection rights.
The case, filed by Kennedy Wainaina Mbugua on March 19, 2024, revealed that unauthorized parties accessed his Bolt driver account, performed 17 fraudulent trips worth KES 26,250, and altered account details, with Bolt’s customer support team failing to properly handle the incident and escalate it according to established protocols.
READ ALSO: Court Upholds Ksh.900k Fine Against Digital Lender Company For Persistent Calls on Follow-ups
While Bolt attributed the incident to a phishing attack and social engineering, the ODPC found the company liable for violating the complainant’s rights under Kenya’s Data Protection Act, including the right to access personal data and correction of false information.
READ ALSO: President Ruto Persuades Kenyans to Embrace Adani-Gov’t Deal
The investigation revealed significant procedural failures by Bolt, including improper verification processes for account changes, failure to conduct required Data Protection Impact Assessments (DPIA) for its account management systems, and failure to notify the Data Commissioner of the breach within the required 72-hour window, leading to the enforcement notice and compensation order.
Now more than ever before, organizations need robust, end-to-end data protection frameworks. This includes implementing multi-factor authentication, regular security training for customer service teams, and clear escalation protocols for suspected breaches. Companies should view data protection not as a standalone IT function but as an integral part of their business operations.
To stay ahead of any potential violations, establish a dedicated privacy officer role, conduct quarterly compliance audits, and maintain detailed documentation of all data processing activities. The financial impact extends beyond direct penalties-reputational damage and loss of customer trust can have far-reaching consequences for business growth and sustainability. Organizations would do well to invest in preventive measures rather than face the
costly aftermath of data protection violations.