Connect with us

Investigations

Part III: How A Safaricom’s Former Employee’s Statement Implicated The Company On Selling Customers Data To Third Parties In Data Breach Case

Published

on

Safaricom Chairman Nicholas Ng’ang’a and Interim CEO Michael Joseph.

Safaricom is battling a Sh115Trillion class action suit that this site has actively been updating on. While this case is unlikely to be highlighted in the mainstream media in which according to the petitioner a Mr. Benedict is as a result of Safaricom’s big financial muscles and putting the media in their pockets, Kenya Insights covers it extensively.

As you’ve seen in our part oneone and two of the serialization, Safaricom is being accused of letting data of about 11.5M gamblers data breached. According to a lawsuit in court, Data of gambling customers was obtained from the system through their own employees( Safaricom admitted to this by charging the employees involved).

Data which was then to be sold to third parties contained private information of customers and on being exposed to unauthorized users not only put themselves at risks of illegalities but also put serious data protection on the company. It’s unimaginable what a third party would do with that much information on customers that was breached.

In a well planned heist that would later backfire, a Mr. Mark and Mr.Charles(Former Safaricom employee) conspired with Safaricom’s employees; Brian Wamatu and Simon Billy Kinuthia, conspired to steal and sell the data to a gambling firm since it had gamblers data. In mind, they wanted Sportpesa as they’d give a lucrative deal.

Advertisement

Mark, a computer geek and a conspirator in the deal, approached Mr. Benedict Kabugi who would later make the meeting with Sportpesa CEO Ronald Karauri possible to negotiate a deal.

As things would turn out, Benedict was arrested by CID detectives based in Safaricom and questioned, his cooperation would then lay ground for a sting operation where Mark and Charles were arrested leading to the arrests of Safaricom’s employees Brian and Billy.

Related Content:  Flopping Quickmart on the spot again for selling unfit “Fresh” meat products. ​

During questioning, Charles who in his statement said he was a former employee of Safaricom and what remains not only interesting but incriminating statement on his former employer.

Charles in his statement said he met Brian Wamatu in 2009 at Safaricom when he joined the company. They both worked in the IT department as project managers.

As former colleagues and family friends, Brian had indulged Charles on a marketing scheme and that he had Safaricom’s customers data that would be monetized. “He advises me that he was aware that there’s a comprehensive database of betting data that was already in the market and possibly in use by other companies.” Charles said in his statement according to court documents seen by Kenya Insights.

Advertisement

Brian promised to introduce Charles to someone who had the knowledge of the database and eventually linking to the data. Later on, Charles was introduced to a Mr. Billy Kinuthia who also happened to be a Safaricom employee and an IT consultant.

“Mr Billy advised me that he was aware of the data and that he would connect me to the providers.” Charles noted in his statement.

Charles confirmed how he would receive an anonymous google drive link for an account named “root kitting” and instructions to download. He explains how this became the standard procedure an indication that data was illegally accessed severally.

He even goes further to indicate that he attended an official meeting at the Safaricom’s offices in 2017 whilst working for a company he refers to as “Mtandao” with the sole agenda for the meeting being to discuss how Safaricom could monetize data from its M-pesa platform and customer data base.

He confirms receiving a sample through the now “normal channels” and receiving the google drive links for download and which data they were informed at the time of the arrest, had been irregularly obtained from Safaricom.

Advertisement
Related Content:  A Deadly Revenge Attack At Lokichoggio AIC Secondary School Leaves Seven Dead As Security Forces Incompetence Costs Students Lives

In the backdrop of all this, it’s likely that Safaricom might survive but again it’s alarming because Kenya doesn’t have well laid data protection laws. According to different sources, data of customers which includes politicians, mighty people in this country, more scandalous is even Muslim faithfuls who were betting during the holy month contrary to religious beliefs is in the exposed database. What happens if this data gets into the hands of rogue characters and it’s leaked especially in this dark web error?

Safaricom on their side have failed their customers in this instant to protect their data and privacy. A breach of trust. It’s even more disturbing when former employees confess that the company is allegedly involved in selling or intending to sell customers data to third parties. It’s illegal because when one subscribes to Safaricom, there’s no section in the T&Cs that allows that to sell their data to third party, they need to protect their privacy.

While the data protection laws in Kenya are really weak for Safaricom to shoot themselves in the foot, it’s high time Kenyans and lawmakers take seriously. From the statements, this data that’s petitioned could possibly be with other companies who knows what unauthorized persons would do with such privileged data?

Safaricom need to take extra measures to ensure data of customers is kept in safety. While in Kenya strict data laws don’t exist, Safaricom could be facing bigger problems outside the borders. It’s reported that over 500 data of foreign gamblers in Kenya was breached and they’re taking things to the international court.

Related Content:  Incompetent NOC-K And Selfish Sports Ministry Officials Dampens Morale For Kenyan's Athletes In Rio Olympics

It now emerges that Safaricom’s troubles are going international with two possible lawsuits likely to be lodged in Paris and London. According to a London based publication, two new lawsuits are preparing to be filed sometime in the next couple of weeks in both London and Paris. 

Advertisement

They are being introduced based on the General Data Protection Regulation (GDPR) of the European Union (EU), and assert that the data breach affected over 500 European citizens that reside in Kenya.Since the GDPR specifies how data of EU citizens has to be protected, even beyond EU borders, the lawsuits allege that Safaricom can be held accountable.

Following our previous episodes of this data breach expose, many gamblers suspecting their data was breached have reached out to this site on how they can enjoin the petition. We shall update you when we have the right information and give you the right direction. For now the matter is before court with only one petitioner Mr. Benedict Kabugi.

Big question now is; if we’re to take Safaricom’s Former employees confessions that customers data are already with other companies then just how spread is this and how safe is it on customers who’s private information is exposed to unauthorized users. Lastly, what punitive measures is Safaricom taking to protect consumers considering they’re own turner employers have implicated them in third parties data sales?


Kenya Insights allows guest blogging, if you want to be published on Kenya’s most authoritative and accurate blog, have an expose, news TIPS, story angles, human interest stories, drop us an email on [email protected] or via Telegram
Advertisement

Kenya West is a trained investigative independent journalist and a socio-political commentator on matters Kenya and Africa. Do you have a story, Scandal you want me to write on? Send me tips to [[email protected]]

Advertisement
Advertisement
Advertisement

Facebook

Most Popular