Shock as Safaricom Accused of Selling Data of 11.5 Million Subscribers to Kenya’s Top Betting Firm

Shock as Safaricom Accused of Selling Data of 11.5 Million Subscribers to Kenya’s Top Betting Firm

A major data scandal has rocked Kenya’s telecommunications industry after court documents revealed that personal information belonging to more than 11.5 million Safaricom subscribers was allegedly leaked and nearly sold to a leading sports betting company.

Two former senior Safaricom managers and an ICT audit officer identified as Benedict Kabugi Ndung’u are at the centre of the controversy, accused of orchestrating the massive data breach. The confidential data is said to include subscribers’ names, phone numbers, national ID details, email addresses, and records of online betting activity.

According to filings before the High Court, the data was illegally transferred from Safaricom servers to several Google Drives and later to personal laptops belonging to the former employees. The files, which were encrypted with heavy passwords, allegedly contained information that could be used to predict users’ betting habits and target them with gambling-related advertisements.

Investigations by the Directorate of Criminal Investigations (DCI) and Safaricom indicate that the stolen information accounted for roughly 23 percent of the company’s entire customer base. Attempts to retrieve the data have been unsuccessful, with two of the laptops still untraced.

Safaricom, in its petition, claims the leak was a coordinated attempt to monetise confidential subscriber information. The firm says it was forced to move to court to prevent the sale and dissemination of the data, warning that exposure would lead to massive lawsuits and regulatory penalties.

“The defendants are in possession of highly confidential subscriber data and intend to disseminate it to third parties,” Safaricom told the court, adding that the breach “poses serious risks to millions of subscribers.”

Kabugi, however, denies the allegations and has counter-sued Safaricom in a constitutional petition. He accuses the telco of violating the Data Protection Act by failing to secure customer information and wants the court to compel Safaricom to pay him Sh100 million in damages and Sh10 million for each affected subscriber.

Safaricom has dismissed his claims, terming him a “fake whistleblower” who was directly involved in the illegal data transfer. The company alleges that Kabugi and the former managers abused their privileged access to company systems to extract data “far beyond their authorisation.”

The leaked records reportedly include details of subscribers’ betting patterns, financial transaction histories, gender, age, and location, as well as the specific mobile devices and SIM card types used. Authorities fear such sensitive information could be exploited for identity theft, fraud, and targeted advertising by betting operators.

In Kenya, the Office of the Data Protection Commissioner has recently imposed hefty fines on firms found guilty of data breaches. Internationally, major corporations such as Uber, British Airways, Equifax, and Capital One have faced similar penalties for failing to safeguard customer information.

Court documents also reveal that WhatsApp conversations between the suspects provided the first clue about the existence of the stolen data on Google Drive. One of the implicated managers has since filed a separate case challenging his arrest by DCI officers.

Safaricom maintains that the company acted promptly upon discovering the breach and that it continues to cooperate with investigators to recover the data and protect affected users.

“The subscriber data contained millions of confidential records which must remain protected under law,” the firm stated, warning that unauthorised use of the data could attract criminal penalties, including a fine of Sh5 million or imprisonment of up to 10 years.

The case is expected to return to court on October 30, 2025, for pre-trial directions as both the civil and criminal investigations continue.

If proven, the scandal would mark one of the largest data breaches in Kenya’s history — raising serious questions about how well telecom giants safeguard the private information of millions of users who rely on their networks daily.