Safaricom’s Sh115 Trillion Data Breach Scandal: How Kenya’s Telecom Giant Sold Out 11.5 Million Customers

The chickens have finally come home to roost for Safaricom. In what could be the largest corporate privacy violation in African history, Kenya’s telecommunications behemoth now faces a staggering Sh115 trillion lawsuit after failing to protect the personal data of 11.5 million subscribers whose betting histories, biometric information, and intimate financial details were stolen and nearly sold to the highest bidder.

And the kicker? Settlement talks have collapsed spectacularly.

When the parties appeared before High Court deputy registrar Sylvia Moturi on October 8, 2025, they admitted what many had suspected: Safaricom’s attempt to quietly sweep this nuclear-level data breach under the rug had failed.

The company, which had desperately sought to settle the civil suit outside court in exchange for the withdrawal of counter-suits and promises that the stolen data trove wouldn’t be transferred, now faces the full wrath of a judicial system and millions of betrayed customers.

The Heist That Exposed Safaricom’s Rotten Core

This wasn’t some sophisticated hack by shadowy cybercriminals operating from a basement in Eastern Europe.

This was an inside job, orchestrated by Safaricom’s own trusted senior managers who turned the company’s servers into their personal ATM.

The plot reads like a thriller, except the victims are real: two former Safaricom senior managers, Brian Wamatu Njoroge and Simon Billy Kinuthia, conspired with external accomplices to create an algorithm that would mine and analyze subscriber data based on betting patterns.

What they extracted was a goldmine of personal information on 11.5 million Kenyans, representing 23 percent of Safaricom’s entire customer base.

The stolen data wasn’t just phone numbers and names. Court documents reveal a disturbing inventory: full names, mobile numbers, birth dates, gender, national ID numbers, passport numbers, military ID numbers, alien card numbers, gambling transaction histories, M-Pesa details, total bet amounts, handset information, dual SIM specifications, and precise subscriber locations down to the county and locality level.

This is the kind of data that hackers would kill for. The kind that enables identity theft, targeted scams, financial fraud, and blackmail. The kind that, in the wrong hands, could destroy lives.

The Google Drive That Safaricom Can’t Crack

Here’s where it gets truly embarrassing for a company that bills itself as a technology leader: the thieves transferred this mountain of sensitive data from Safaricom’s supposedly secure servers to Google Drive accounts protected by “heavy passwords.”

Safaricom, despite all its technical expertise and resources, has been unable to access these drives.

The data was then downloaded onto three personal laptops.

Safaricom and the Directorate of Criminal Investigations have been unable to trace two of these laptops.

Translation: somewhere out there, two computers containing the private information of 11.5 million Kenyans are floating in the digital underground, potentially being copied, sold, or weaponized as we speak.

The Whistleblower Safaricom Tried to Silence

Enter Benedict Kabugi, the man at the center of this legal maelstrom.

When Kabugi was approached on May 18, 2019, by individuals trying to sell the stolen data to betting giant SportPesa, he did what any responsible citizen would do: he reported it to the police and to Safaricom itself.

What happened next reveals the moral bankruptcy at the heart of Safaricom’s crisis management strategy.

Instead of thanking Kabugi for exposing a catastrophic breach, Safaricom branded him a “fake whistleblower” and accused him of extortion.

The company claims Kabugi demanded Sh100 million to reveal the identity of the data thieves.

But court documents and WhatsApp exchanges paint a very different picture: it was Safaricom’s own senior manager, Patrick Kinoti, who initiated discussions about compensation, offering Kabugi Sh3 million for his “intelligence” and even sending him a “weekend token” of Sh50,000 via M-Pesa.

When Kabugi, rightfully concerned about his own compromised data and seeking proper compensation, pushed back, Safaricom unleashed the dogs.

He was arrested multiple times, detained at Gigiri Police Station, and charged with demanding Sh300 million “with menace.”

This, despite the fact that he had cooperated fully with authorities and helped orchestrate the sting operation that led to the arrest of the data thieves.

The Smoking Gun: Safaricom Was Selling Customer Data All Along

The most damning evidence comes from Charles, a former Safaricom employee turned accomplice.

In his statement to investigators, Charles dropped a bombshell: he attended an official meeting at Safaricom’s offices in 2017 where the sole agenda was “to discuss how Safaricom could monetize data from its M-pesa platform and customer database.”

Read that again.

Safaricom wasn’t just negligent in protecting customer data. According to a former insider, the company was actively exploring ways to sell it.

Charles further revealed that the stolen betting data wasn’t unique.

He was told “there was a comprehensive database of betting data that was already in the market and possibly in use by other companies.”

This suggests that the 11.5 million subscriber breach might just be the tip of the iceberg.

When you subscribe to Safaricom, nowhere in the terms and conditions does it say the company reserves the right to sell your personal information to third parties. Yet here we are, with multiple sources indicating this has been standard practice.

A Company That Learned Nothing

What’s perhaps most infuriating is Safaricom’s continued arrogance throughout this saga.

The company has fought tooth and nail to prevent transparency, allegedly pressuring mainstream media outlets like Nation and Standard newspapers to bury the story by threatening to pull lucrative advertising contracts.

They’ve thrown legal obstacles at every turn, refusing to hand over the stolen data to the court for examination, claiming security concerns, even as that same data potentially circulates in criminal networks worldwide.

And despite charging their own employees with the theft, despite the mountain of evidence, despite the clear failures in their security protocols, Safaricom has yet to offer a single meaningful apology to the 11.5 million subscribers whose privacy they violated.

The Sh115 Trillion Reckoning

Now, with settlement talks dead, Safaricom faces the very real possibility of catastrophic liability.

Kabugi, representing himself and potentially all 11.5 million affected subscribers, is demanding Sh10 million per victim.

If the court rules in his favor, the total damages would reach Sh115 trillion, an amount that would not only bankrupt Safaricom but send shockwaves through Kenya’s entire economy.

Even a fraction of that amount would dwarf the fines levied against data breach giants like British Airways (£183 million), Facebook ($5 billion), and Equifax ($650 million).

But here’s what makes this case different: those companies were hacked by external criminals. Safaricom was robbed by its own employees, suggesting systemic failures in hiring, vetting, access controls, and corporate culture.

Even worse, evidence suggests the company may have been complicit in selling customer data long before this particular breach occurred.

International Implications

The scandal has already crossed borders. Over 500 European Union citizens residing in Kenya had their data compromised, triggering potential lawsuits in London and Paris under the EU’s stringent General Data Protection Regulation (GDPR).

Unlike Kenya’s toothless data protection framework, GDPR carries teeth, allowing for fines up to 4 percent of global annual revenue.

Safaricom, as a subsidiary of UK-based Vodafone, could find itself in the crosshairs of British and European regulators who don’t take kindly to companies that treat customer privacy as an afterthought.

What This Means for Every Kenyan

If you’ve ever used your Safaricom line to place a bet, your data was stolen. Your full name, ID number, how much you gamble, where you live, what phone you use, your M-Pesa transaction history—all of it is out there.

If you’re a Muslim who bet during Ramadan, that information could be used to shame or blackmail you. If you’re a politician with gambling habits, you’re potentially exposed. If you’re anyone who values privacy, you’ve been betrayed by a company you trusted with your most sensitive information.

The case returns to court on October 30, 2025, for a pretrial hearing. Criminal proceedings against the two former Safaricom managers and their accomplices continue separately.

But regardless of the legal outcomes, one thing is crystal clear: Safaricom has shown itself to be an unreliable custodian of customer data, a company more interested in protecting its reputation than its subscribers, and a corporation willing to weaponize the police and courts against whistleblowers who expose its failures.

Kenya deserves better. Safaricom’s 11.5 million victims deserve better.

And until this company faces real consequences for its negligence and alleged complicity in selling customer data, no Kenyan’s information is truly safe.

The Sh115 trillion question is no longer whether Safaricom is guilty. It’s whether Kenya’s justice system has the backbone to hold them accountable.