Kenya's High Court has issued a landmark ruling in a long-running case against Safaricom, East Africa's largest mobile operator, over the exposure of subscriber data belonging to millions of customers. The decision confirms that customer records, including identification details and call data, were improperly handled and accessible outside authorized channels, triggering a fresh wave of regulatory scrutiny across the region's telecom sector.
What Happened
The High Court ruling concludes a multi-year legal battle in which plaintiffs argued that Safaricom failed to safeguard subscriber data tied to its mobile money and voice services. According to the proceedings, internal records and call data linked to millions of M-PESA and prepaid SIM users were accessible to unauthorized parties, with allegations that the data was further shared with third parties without consent. The court found that Safaricom did not meet its obligations under Kenya's Data Protection Act, opening the door to compensation claims and compliance orders enforced by the Office of the Data Protection Commissioner (ODPC).
What Was Taken
Court filings and supporting evidence indicate the exposed data set included subscriber personal identifiers (full names, national ID numbers, and registered phone numbers), call detail records (CDRs) tied to specific MSISDNs, and metadata associated with M-PESA mobile money transactions. Geolocation data derived from cell tower connections was also reportedly accessible. While the exact record count remains subject to forensic verification, Safaricom serves over 45 million subscribers in Kenya, making the population of potentially affected customers among the largest in any African data protection case to date.
Why It Matters
This ruling is the most consequential data protection decision yet issued under Kenya's 2019 Data Protection Act and sets a precedent for the entire African telecom industry. For defenders, the case underscores that telecom-held identity and transaction data, especially when tied to mobile money platforms, is treated as high-value PII subject to strict regulatory liability. The judgment also signals that civil litigation, not just regulatory fines, is becoming a viable enforcement vector in Africa, raising the cost of inadequate access controls and increasing the threat surface for SIM swap, KYC bypass, and mobile money fraud operations that depend on leaked subscriber data.
The Attack Technique
The exposure was not the result of an external intrusion in the classic sense but stemmed from insufficient internal access controls and over-broad data sharing with affiliates and third parties. Investigators highlighted that subscriber records were queryable by personnel and connected partners beyond what was necessary for service delivery, with no enforced segregation between operational data and law enforcement disclosure pipelines. Audit logging gaps made it difficult to attribute specific record pulls to legitimate business purposes. The court treated this as a failure of "privacy by design," echoing patterns seen in other telecom breaches where insider access and weak data governance, rather than zero-days, drive large-scale exposure.
What Organizations Should Do
- Audit all internal data access paths to subscriber and customer PII; enforce least-privilege and remove standing access for support, marketing, and analytics roles.
- Implement query-level logging and anomaly detection on CRM, billing, and mobile money databases, with automated alerts on bulk record exports.
- Review and document every third-party data sharing arrangement; ensure contracts and technical controls comply with applicable data protection laws (Kenya DPA, GDPR, POPIA).
- Conduct a Data Protection Impact Assessment (DPIA) for any system that links identity data with financial or location data, and remediate findings on a defined timeline.
- Train customer-facing and back-office staff on insider threat indicators and reporting channels; rotate credentials and review privileged account inventories quarterly.
- Engage proactively with national data protection authorities to disclose incidents early, reducing both regulatory and civil litigation exposure.