On May 13, 2026, Justice Bahati Mwamuye of Kenya's High Court Constitutional and Human Rights Division ruled that Safaricom PLC failed to notify roughly 29.5 million customers that personal data belonging to approximately 11.5 million subscribers was extracted by insiders and sold to betting companies that remain Safaricom paybill clients. The court awarded KShs 900,000 to each of eleven named petitioners, with a parallel class action seeking damages of up to KShs 17.25 trillion.
What Happened
Safaricom employees with deep architectural access to the carrier's subscriber systems systematically extracted customer data over an extended period and sold it to betting operators. Simon Billy Kinuthia, Manager of Networks and M-Pesa Systems Auditor, used his auditor-level privileges to author a custom algorithm purpose-built to mine, collate, and package subscriber records for commercial resale. Brian Wamatu Njoroge, Head of Regional Expansion, served as co-conspirator. The High Court found that Safaricom has spent seven years denying, minimizing, and litigating around the incident rather than notifying affected subscribers, and that the buyers of the stolen data remain among the carrier's most valuable corporate clients.
What Was Taken
Records belonging to approximately 11.5 million Safaricom subscribers, extracted directly from the production subscriber database via a bespoke mining algorithm engineered for monetization. The data set was optimized for use by betting companies, implying subscriber identifiers, contact details, and behavioral signals suitable for gambling-industry targeting. The broader customer base of 29.5 million was never notified that any portion of the subscriber population had been compromised. Court findings characterize the exposure as a sustained, repeat-sale operation rather than a single incident.
Why It Matters
This is one of the largest confirmed insider breaches in African telecommunications history, and the first in which a constitutional court has formally tied carrier silence to a violation of the right to informational privacy. The incident demonstrates that insider abuse at the systems-auditor tier can persist for years inside a regulated telco without triggering disclosure, and that the commercial relationship between the carrier and the data buyers can survive judicial findings of wrongdoing. For defenders, the case sets a precedent that failure to notify is itself a distinct, litigable harm, separate from the breach.
The Attack Technique
The compromise was a privileged insider operation rather than an external intrusion. Kinuthia's role as Networks and M-Pesa Systems Auditor granted him architecture-level visibility into the subscriber database, including the access patterns and query surfaces normally reserved for audit and integrity functions. He leveraged that access to develop a custom extraction algorithm tuned to the schema of the subscriber store, producing structured exports formatted for resale. Co-conspirator Njoroge, in a senior commercial role, provided the channel into corporate buyers. No external malware, phishing, or credential theft was required. Standard audit-tier privileges, combined with the absence of egress monitoring on bulk subscriber queries, were sufficient.
What Organizations Should Do
- Treat systems-auditor and database-administrator accounts as Tier 0 identities, with mandatory four-eyes approval for any bulk query against subscriber, billing, or payment tables.
- Deploy query-volume and query-shape anomaly detection on production customer databases, alerting on any extraction that exceeds normal audit baselines or matches mass-export patterns.
- Implement data loss prevention controls on outbound traffic from privileged workstations, including monitoring for structured exports of customer records to personal cloud storage, email, or removable media.
- Establish a documented breach notification playbook with hard legal deadlines, board-level escalation, and a named accountable executive, and rehearse it.
- Audit commercial relationships against breach intelligence: any vendor, partner, or paybill client implicated as a buyer of stolen data should trigger contract review and disengagement.
- Conduct regular privileged-access reviews focused on standing audit rights, and revoke architectural read access from any role that does not require it on a daily operational basis.