Safaricom Has Never Told Its 29.5 Million Customers That Their Stolen Data Is In Unauthorised Hands And The Company It Accuses Of Buying It Is Still Its Client

On May 13, 2026, Justice Bahati Mwamuye of the High Court’s Constitutional and Human Rights Division delivered a judgment that Safaricom PLC has every reason to wish had never been written.

In fifty pages of meticulous constitutional analysis, the Court confirmed what the company had spent seven years and considerable legal resources attempting to deny, minimise, and bury in parallel proceedings: that Safaricom’s own employees systematically extracted the personal data of approximately 11.5 million subscribers and sold it, repeatedly and for money, to betting companies that are among Kenya’s largest commercial enterprises and, by extension, among Safaricom’s most valuable paybill clients.

The judgment awarded KShs 900,000 each to the eleven named petitioners in HCCHRPET No. E095 of 2026. The total direct payout of KShs 9.9 million is the smallest number in a litigation landscape that now stretches to a theoretical KShs 17.25 trillion if the separate class petition filed on behalf of all 11.5 million affected subscribers is eventually resolved on the same constitutional basis.

But the money is not the story.

The story is what Safaricom has not done in the seven years it has known the scale of what happened, what it is still not doing, what the law requires it to do, and what the silence of its lawyers, its board, and its communications department tells Kenyans about the relationship between corporate power, regulatory enforcement, and the constitutional right to informational privacy.

“Where personal data of millions is exposed, privacy ceases to be an abstract constitutional promise and becomes a lived vulnerability. The Constitution does not permit such vulnerability to be normalised in the name of technological convenience or institutional denial.” — Justice Bahati Mwamuye, May 13, 2026

THE DATA: WHAT WAS STOLEN AND WHY IT MATTERS

Before examining what Safaricom has failed to do, it is necessary to understand what was actually taken, because the inventory is extraordinary in its breadth and its intimacy, and because the casual use of the phrase “data breach” flattens a reality that is far more disturbing.

Simon Billy Kinuthia held the position of Manager, Networks and M-Pesa Systems Auditor at Safaricom. That title is significant. He was not a junior analyst stumbling across accessible files. He was a systems auditor with architecture-level access to the subscriber database, and he used that access to design a bespoke algorithm specifically engineered to mine, collate, and package subscriber information in a form optimised for commercial sale to betting companies. His co-conspirator, Brian Wamatu Njoroge, was Head of Regional Expansion. These were not peripheral figures.

What Kinuthia’s algorithm extracted from Safaricom’s systems and transferred to a Google Drive account under his personal control, which Safaricom has confirmed it has never been able to access, covered every dimension of a subscriber’s identity and financial life. Court documents confirm the stolen dataset included full legal names, mobile numbers, gender, date of birth, nationality, national identity card numbers, passport numbers, military identity card numbers, alien card numbers where applicable, and certificate of incorporation numbers for registered entities. It also included the specific betting platforms on which subscribers were registered, complete gambling transaction histories covering total amounts staked and the number of individual pay-in transactions, the date of each subscriber’s most recent bet, M-Pesa financial records funding betting activity, the make, model, and IMEI number of each subscriber’s handset, the network generation in use, dual-SIM status, and geolocation data down to constituency level.

This was not raw data in any meaningful sense. Kinuthia’s algorithm was purpose-built. It collated and cross-referenced these fields into a profile of each subscriber specifically designed for commercial exploitation by betting companies: who they were, where they lived, what device they carried, how much they gambled, how often, and through what platform. It was, as the judgment records, a goldmine for targeted marketing, behavioural profiling, and identity exploitation.

The dataset migrated from Safaricom’s servers to Kinuthia’s Google Drive, then onto personal laptops. The DCI and Safaricom located one laptop. Two remain unaccounted for. Nobody knows where they are. Nobody knows who has copies of what was on them. Nobody knows whether that data has been further copied, sold, shared, or uploaded to servers in jurisdictions beyond the reach of Kenyan law enforcement. That ambiguity is not academic. It is the lived reality for 11.5 million people whose most sensitive personal and financial information is, as Safaricom itself admitted in HCCC No. 194 of 2019, irretrievably beyond its control.

Two laptops loaded with the intimate records of 11.5 million Kenyans remain unaccounted for. Safaricom has admitted it cannot recover the data. It has never told a single subscriber.

THE SELECTIVE PROSECUTION: TWO EMPLOYEES, NO BUYERS

Safaricom’s response to the breach, once it could no longer be concealed entirely, followed a precise and revealing logic. The company reported the matter to the Directorate of Criminal Investigations. Criminal Case No. 962 of 2019 and Criminal Case No. 979 of 2019 were instituted against Simon Billy Kinuthia and Brian Wamatu Njoroge. Those cases, later consolidated, remain before the courts in their seventh year.

The charges against Kinuthia and Njoroge are serious: computer fraud, unlawful copying and transfer of subscriber data, and demanding money with menaces from Safaricom. The DCI forensic report that underpins those charges is described in the court record as one of the major pieces of evidence being used by the Office of the Director of Public Prosecutions to date.

That same DCI forensic report, which Safaricom and the ODPP are using to prosecute two former employees, names the entities that purchased the stolen data. The WhatsApp forensic communications admitted into evidence as Annexure ATM-3 in the constitutional petition, introduced into the record by Safaricom itself, identify the recipients of subscriber data in explicit terms. The judgment of Justice Mwamuye records those named entities and individuals as Andrew Aligula, Odibet, the Mburus, Betika, Charles, and the Mule. The Court described these references as neither incidental nor innocuous and characterised the communications as evidence of a coordinated and organised pattern of external transmission and commercial exploitation of confidential subscriber information.

Betika is one of Kenya’s largest sports betting platforms. It was co-founded by George Mburu and Chris Mwirigi, and the reference to “the Mburus” in the forensic WhatsApp record, read alongside civil filings, now carries what the judgment describes as a judicial imprimatur it previously lacked. Odibets, which trades through Kareco Holdings and entered the Kenyan market in 2018, precisely the period during which the data extraction was occurring, is similarly named.

The initial intended destination for the full dataset was Pevans East Africa, which trades as SportPesa. That deal collapsed when a Safaricom executive could not guarantee a continuous supply of data. The data was subsequently sold more broadly across the betting sector.

Safaricom has never reported any of these entities to the DCI. It has never written to the ODPP to request that charges be brought against the companies that purchased data it describes as stolen. It has never petitioned the Betting Control and Licensing Board, or the Communications Authority, or the Office of the Data Protection Commissioner to investigate or sanction any of the named buyers. In seven years, not once.

The prosecution of Kinuthia and Njoroge, constructed on a forensic report that identifies the buyers, while those buyers remain entirely unmolested, is selective law enforcement of the most consequential kind. These are not minor technical infringements. Knowingly purchasing stolen personal data, including identity documents, financial transaction records, and precise geolocation, implicates provisions of the Computer Misuse and Cybercrimes Act, the Data Protection Act, the Consumer Protection Act, and the Constitution itself. The silence of Safaricom on this question is not passivity. It is a choice.

Safaricom has used the DCI forensic report that names Betika, Odibets, and others as buyers of stolen subscriber data to prosecute its own former employees. It has never used that same report to pursue the buyers. Not once in seven years.

THE REVENUE RELATIONSHIP: WHY THE SILENCE MAKES FINANCIAL SENSE

The commercial logic of Safaricom’s inaction is not difficult to reconstruct, and the High Court itself noticed it. The judgment records the Petitioners’ submission that the dissemination of subscriber data enabled targeted betting promotions and behavioural profiling by betting companies, resulting in increased betting activity and a corresponding rise in M-Pesa transaction volumes from which the Respondent earned substantial revenue, and that this commercial nexus is evidenced by Safaricom’s own financial disclosures during the relevant period.

Safaricom denied that it derived any commercial benefit from the breach. Justice Mwamuye did not make a definitive finding on that precise point, but he did not need to. The structural reality of the relationship speaks clearly enough. Betika and Odibets are not marginal operators. They are among Kenya’s highest-volume paybill users. Every bet placed through M-Pesa generates a transaction fee for Safaricom. The more bets are placed, the more Safaricom earns. Targeted marketing campaigns built on illegally obtained subscriber profiles, showing exactly who gambles, how much, on what platform, and through what handset, are precisely the kind of tool that drives betting volumes.

Pursuing the companies that purchased the stolen data through criminal or regulatory channels creates risks that Safaricom’s board has evidently assessed and decided to avoid. It would expose those companies to criminal liability and possible licence revocation, eliminating or severely disrupting the paybill revenue they generate. It would also force a public examination of whether Safaricom’s commercial relationship with those companies during and after the breach period was consistent with its legal and constitutional obligations. The two former employees, by contrast, are individuals of limited means and no transactional relationship with the company going forward. Prosecuting them costs Safaricom nothing commercially. Pursuing the buyers might cost it significantly.

The source familiar with the proceedings puts the matter directly: it is one of the major pieces of evidence being used by the ODPP to prosecute those two boys. And they are using that report selectively. The law applies selectively for Safaricom: prosecute the poor boys, leave alone those who they stole the data on behalf of because they make money for us.

THE LEGAL OBLIGATION SAFARICOM HAS IGNORED FOR SEVEN YEARS

Kenya’s legal framework on data breach notification is not ambiguous. Section 43 of the Data Protection Act, 2019 requires a data controller to notify the Office of the Data Protection Commissioner and affected data subjects of a personal data breach in the most expeditious manner possible and within seventy-two hours of becoming aware of it. Safaricom became aware of the breach in May 2019. The Data Protection Act came into force in November 2019. The question of whether the notification obligation attaches retrospectively to a breach that predates the Act but was known to the controller after its commencement is a live legal question with significant implications.

What is not in dispute is that Safaricom has never, in seven years, issued a public notification to its subscriber base about the breach. It has never written to the affected individuals to inform them that their national identity card numbers, their betting histories, their M-Pesa transaction records, and their home locations were extracted from its systems and sold to third parties. It has never given subscribers the information they would need to protect themselves: to be alert to identity fraud, to monitor for suspicious financial activity, to understand that strangers have possessed intimate details of their financial lives since 2018.

The constitutional basis for that notification obligation exists independently of the Data Protection Act. Article 46 of the Constitution guarantees consumers the right to information necessary for them to gain full benefit from goods and services and to protect their economic interests. Justice Mwamuye found a violation of Article 46 in this case, holding that a service provider processing highly sensitive consumer data at scale, which fails to ensure adequate safeguards, renders its service deficient within the meaning of constitutional consumer protection standards. A subscriber who does not know their data has been stolen cannot protect themselves. The failure to inform is itself a continuing constitutional violation.

Safaricom is also now confronted with disclosure obligations as a publicly listed company. Following the judgment of May 13, 2026, the Capital Markets Authority and the Nairobi Securities Exchange impose obligations of material disclosure on listed entities. A High Court constitutional finding that the company violated the fundamental rights of 11.5 million people through systemic failures in data governance is, by any standard, material information for shareholders. Whether Safaricom has made the disclosures required of it to CMA, NSE, and its shareholders in the weeks since that judgment is a question its board and its lawyers will need to answer.

Safaricom has never told a single one of its 29.5 million subscribers that a breach occurred. After seven years, and a High Court constitutional finding, it is now legally required to disclose to the Capital Markets Authority, to NSE, and to its shareholders. The clock is running.

THE WHISTLEBLOWER SAFARICOM HELPED ARREST

Benedict Kabugi is the figure at the centre of the parallel proceedings who does not fit neatly into Safaricom’s preferred narrative. He was the intermediary approached by Kinuthia and Njoroge to find buyers for the data. In May 2019, he alerted Safaricom to the breach. Safaricom’s response was to report him to the DCI, and Kabugi was subsequently charged with demanding money with menaces, accused of seeking KShs 300 million from Safaricom in exchange for disclosing the source of the data.

Kabugi has consistently maintained that he was acting as a whistleblower and that his demand was a negotiation, not extortion. The criminal cases against him and the former employees have now been proceeding for seven years without resolution. The High Court in the E095 petition admitted Kabugi’s affidavit into evidence, declined to strike it out as Safaricom requested, and treated it as corroborative material supported by independent forensic records including Safaricom’s own annexures.

Kabugi has separately petitioned the DCI, the Gambling Regulatory Authority of Kenya, and other bodies to investigate and revoke the licences of the betting companies named in the forensic record. He has done what Safaricom, whose data was stolen and whose subscribers were violated, has declined to do. The company that was breached has not made a single representation to any regulatory authority about the entities it identifies in its own civil proceedings as the buyers of its subscribers’ stolen data.

THE DATA THAT IS STILL OUT THERE

The nightmare scenario for 11.5 million Kenyans is not theoretical. It is ongoing. Two laptops containing the complete subscriber dataset, or copies of it, have not been recovered. The Google Drive account controlled by Kinuthia has never been accessed by Safaricom or by law enforcement. The data was sold multiple times between June 2018 and May 2019, the forensic record establishes repeated commercial transactions, not a single transfer. Copies are in the hands of persons who purchased them, possibly in the hands of persons to whom those purchasers have further distributed them, and possibly on servers in jurisdictions where Kenyan law has no reach.

What can be done with a dataset of this kind in 2026 is not a matter of speculation. It is a matter of established criminal practice. Full legal names combined with national identity card numbers, passport numbers, and dates of birth are the complete toolkit for identity fraud and account takeover. IMEI numbers linked to subscriber identities enable device-level surveillance and SIM swap attacks. M-Pesa transaction histories reveal spending patterns, financial vulnerabilities, and the timing and size of income flows, all of which are useful for targeted financial fraud. Geolocation data down to constituency level, combined with the other fields, creates a profiling capability of extraordinary granularity.

The betting transaction histories are perhaps the most sensitive field of all. Gambling behaviour is associated with financial vulnerability. People who bet heavily are, statistically, more susceptible to predatory lending, fraud, and financial exploitation. A dataset specifically filtered to identify heavy gamblers, cross-referenced with their M-Pesa transaction records and their home location, is a map to the most financially precarious segment of the subscriber base. That map is, as far as anyone can determine, still in circulation.

Safaricom has not told these people. It has not told them what was taken, who has it, or what they should do to protect themselves. It has conducted no public information campaign. It has commissioned no independent audit of where the data went after it left Kinuthia’s laptops. Seven years after the breach, 29.5 million Safaricom subscribers, not just the 11.5 million confirmed to be in the stolen dataset but every subscriber who cannot know whether their records were captured, are being protected by nothing except the company’s continued silence.

THE QUESTION THE DPP HAS NOT ANSWERED

The ODPP’s role in this matter deserves separate scrutiny. The office is prosecuting Kinuthia and Njoroge using a forensic record that names buyers. The ODPP has not charged any of the named buyers. The question of whether that decision reflects an assessment of evidence, a prosecutorial policy, or something else is one that the office has not explained publicly.

The Computer Misuse and Cybercrimes Act creates offences of unauthorised access and use of computer data. Knowingly receiving and deploying stolen subscriber data for targeted commercial purposes is not obviously outside the reach of those provisions. The Consumer Protection Act and the Data Protection Act create additional regulatory offences. Whether the threshold of evidence available from the DCI forensic report is sufficient to support charges against the buyer entities is a matter for the ODPP to assess transparently and publicly, not to decline in silence.

The source involved in the proceedings identifies the ODPP’s silence as a live question: is there a conspiracy too with the DPP? That is a question this publication puts to the ODPP. The office should answer it.

WHAT THE JUDGMENT NOW REQUIRES

Justice Mwamuye’s ruling is not merely retrospective. It creates immediate legal obligations. The High Court issued declarations that Safaricom violated the Petitioners’ constitutional rights under Articles 28, 31, and 46 of the Constitution. It awarded constitutional damages and costs. It ruled that liability arises not merely from employment categorisation, but from institutional failure to secure constitutionally protected personal information.

That institutional finding does not expire with the payment of KShs 9.9 million. The Office of the Data Protection Commissioner, which has powers to investigate, audit, and sanction data controllers, now has a High Court constitutional record of systemic data governance failure on which to act. The Gambling Regulatory Authority of Kenya, formerly BCLB, has licence oversight responsibilities that must be read against a judicial finding that named betting companies received stolen subscriber data. The Communications Authority has regulatory jurisdiction over Safaricom as a licensed telecommunications operator. None of these bodies has acted publicly on the information available from the civil and criminal proceedings of the past seven years. The High Court judgment removes any remaining basis for that inaction.

HCCPET No. 247 of 2019, the original class petition filed by Kabugi representing himself and the full class of approximately 11.5 million affected subscribers, remains pending and was stayed pending the criminal cases. Those criminal cases, seven years old and unresolved, have now been overtaken in constitutional significance by the May 13 judgment. The class petition, if pursued on the same constitutional basis, exposes Safaricom to damages that would constitute the largest constitutional compensation award in Kenyan legal history.

If the class petition filed on behalf of 11.5 million affected subscribers proceeds on the constitutional basis established by Justice Mwamuye, Safaricom faces a total exposure measured in trillions of shillings. Its silence is not a legal strategy. It is a liability accumulating interest.

THE GOVERNANCE FAILURE AT THE HEART OF THIS STORY

The constitutional questions in this case were resolved in fifty pages. The corporate governance questions are not. How did two senior managers, one a systems auditor with architecture-level database access, operate an organised data extraction and sales enterprise over twelve months without detection? What internal audit mechanisms were in place? What access controls existed? Why were employees granted unrestricted access to 11.5 million subscriber records as a matter of ordinary employment, with no audit trail adequate to detect or prevent systematic extraction?

Safaricom has never answered these questions publicly. Its position throughout the litigation was that the conduct was rogue, isolated, and criminal, and therefore not attributable to the institution. The High Court rejected that framing comprehensively. Justice Mwamuye held that the breach occurred through systems wholly within the Respondent’s custody and control and was facilitated by systemic failures in data governance, internal oversight, and data-security safeguards.

The company that processes the M-Pesa transactions of a majority of Kenya’s economically active population, that holds mobile money and personal data on nearly a quarter of the country’s total population, that positions itself as the digital infrastructure of the Kenyan economy, told a High Court that its data governance systems were not adequate to prevent twelve months of organised, repeated, commercially motivated extraction of 11.5 million subscriber profiles. The Court agreed.

Safaricom’s response to the judgment of May 13, 2026 will define its relationship with its subscriber base and with constitutional accountability for a generation. It can appeal and extend the litigation. It can maintain its silence toward the buyers of the stolen data. It can continue not to notify its subscribers. Each of those choices carries costs: to its reputation, to its regulatory relationships, to its litigation exposure, and to the 11.5 million people who have been waiting seven years for a company they trusted with their most sensitive information to tell them the truth.

The High Court has now told them. Safaricom should have been first.