Safaricom’s failed attempt to settle a civil case over an alleged data breach has put renewed focus on how companies handle sensitive consumer information. The dispute, centered on claims of data theft and attempted sale involving 11.5 million subscribers, is now set for a full hearing at the High Court.
The parties were unable to reach an out-of-court agreement before the deputy registrar on October 8, 2025, paving the way for trial. The case has drawn close attention from regulators and data protection advocates, who view it as a test of how Kenya’s Data Protection Act applies to large corporate entities.
According to court filings, two former Safaricom managers and businessman Benedict Kabugi are accused of developing an algorithm to analyze betting patterns and extract subscriber data from company servers. The information reportedly included personal details such as names, ID and passport numbers, dates of birth, locations, phone data, and gambling histories.
Investigations allege that the extracted data was transferred to password-locked Google Drives and three laptops, two of which remain untraced. Safaricom claims the data represents about 23 percent of its customer base and warns that it could be exposed further if not contained.
The company is seeking a permanent injunction to prevent any transfer or use of the information. It also wants the accused held liable for damages and penalties if regulators determine that the breach contravened data protection laws.
The Directorate of Criminal Investigations (DCI) has linked WhatsApp messages to the location of the Google Drives, but one of the former managers disputes their authenticity. Safaricom maintains that its internal systems were targeted by unauthorized access, though it says the breach has since been contained.
Separately, Kabugi has filed a constitutional petition seeking Sh100 million in damages for himself and Sh10 million for each affected subscriber. He accuses Safaricom of failing to safeguard user data in line with the Data Protection Act.
Safaricom has dismissed the claim, describing Kabugi as a “fake whistleblower” who allegedly demanded Sh100 million to disclose the source of the stolen data after a failed attempt to sell it to a betting company. The telco insists it is the aggrieved party in the case and has pledged full cooperation with authorities.
The matter returns to court on October 30, 2025, for pretrial proceedings. Meanwhile, related criminal charges against the two former managers and Kabugi are ongoing, as regulators monitor the case for possible compliance implications within Kenya’s telecommunications and digital services sector.
