Betrayed Whistleblower: How Safaricom Executive Paid Informant Sh50,000 Then Turned Tables in Massive Data Breach Scandal

In a stunning revelation that has exposed the murky underbelly of corporate espionage and data security, a Nairobi businessman has laid bare how telecommunications giant Safaricom allegedly used him as a pawn in a high-stakes operation before spectacularly turning against him in a scandal involving 11.5 million leaked customer records.

Benedict Kabugi Ndungu, now facing criminal charges alongside two Safaricom managers, has lifted the lid on what he describes as an elaborate corporate sting operation gone wrong, claiming that Patrick Kinoti M’Arithi, Safaricom’s Head of Ethics and Compliance, personally bankrolled his undercover work with Sh50,000 before the company disowned him entirely.

The explosive claims paint a picture of a telecommunications behemoth that allegedly enlisted a civilian informant to infiltrate a data breach operation, only to later brand him a criminal mastermind who attempted to extort Sh300 million from the company.

The Sh50,000 Payment That Started It All

At the heart of Kabugi’s counter-narrative is an MPesa transaction dated May 25, 2019. He insists the money came directly from Kinoti, Safaricom’s ethics chief, with explicit instructions to facilitate clandestine meetings with individuals who had gotten their hands on subscriber data that should never have left the company’s secure servers.

According to Kabugi’s court filings, he was not operating as a rogue agent attempting to broker an illicit deal with betting giant Sportpesa.

Rather, he claims he was acting under the direct supervision and at the repeated request of Safaricom’s own compliance team, with Kinoti and another agent, Sitoyo Lopokoiyit, allegedly pulling the strings from behind the scenes.

“Keep the deal warm,” Kinoti allegedly instructed Kabugi after being informed that meetings had been arranged with Charles Njuguna Kimani and Mark Billy Nderitu, the individuals purportedly in possession of the compromised data.

The businessman claims he kept Safaricom’s representatives informed every step of the way, believing he was helping the company contain a massive security breach.

From Whistleblower to Accused Extortionist

The relationship between Kabugi and Safaricom deteriorated spectacularly after the dust settled on the initial investigation.

The company that had allegedly recruited him to help track down the source of one of Kenya’s biggest data breaches suddenly painted him as the villain in the piece.

Safaricom’s version of events, which Kabugi vehemently disputes, suggests he attempted to sell the leaked data to Sportpesa and later tried to shake down the telecommunications company for Sh100 million to reveal his sources.

The telco claims Kabugi only reinvented himself as a whistleblower after his alleged sales pitch to the betting firm collapsed.

Kabugi’s rebuttal is scathing.

He maintains he reported the data breach to Safaricom as a concerned citizen and only became involved in what the company now characterizes as criminal activity because its own agents specifically asked him to do so.

Far from demanding payment, he insists he helped Safaricom and law enforcement identify the breach without asking for a single shilling.

In a twist that adds another layer to this already complex saga, Kabugi claims it was actually Safaricom that attempted to buy his silence, allegedly offering him Sh3 million to drop plans for a lawsuit over the irregular disclosure of subscriber data.

The payment, he says, was positioned as compensation for his whistleblowing efforts and as an incentive to make the whole mess go away quietly.

Criminal Charges and Competing Narratives

The matter has now escalated into a full-blown criminal investigation. Following Safaricom’s complaint to the Directorate of Criminal Investigations, Kabugi found himself in a police cell alongside two of the telco’s own managers, Simon Billy Kinuthia and Brian Wamatu Njoroge.

While Kabugi admits to being charged, he describes the accusations as “trumped up,” including an allegation that he demanded Sh300 million with menaces.

He characterizes himself not as an extortionist but as a man caught in the crossfire of a corporate cover-up, used when convenient and discarded when inconvenient.

The competing versions of how the data actually changed hands add yet more confusion to an already tangled web.

Safaricom claims its investigations revealed WhatsApp conversations between managers Kinuthia and Wamatu showing exactly how unauthorized access to subscriber data was achieved.

The company alleges that a Google Drive link containing the sensitive information was sent to Kimani, who downloaded it onto his personal laptop, which was subsequently seized by the DCI.

Kabugi tells a different story entirely.

He says he received sample subscriber data not from any Google Drive or company insiders directly, but from Mark Billy Nderitu, who was accompanied by Kimani.

Both men, according to Kabugi, identified themselves as Safaricom employees. He denies owning the personal laptop that Safaricom claims was central to the data transfer and says he has no knowledge of how Kimani actually obtained the compromised information.

A House of Cards Built on Betrayal

What emerges from Kabugi’s court filings is a portrait of institutional betrayal on a grand scale.

If his version of events holds water, Safaricom deployed him as an intelligence asset, funded his operations, directed his movements, and monitored his progress in real time as he tracked down individuals who had walked away with one of the most sensitive data caches in Kenyan corporate history.

Then, when the operation became public and potentially embarrassing, the company allegedly cut him loose, reframed the narrative to cast him as the perpetrator rather than the helper, and left him facing serious criminal charges that could result in years behind bars.

The telecommunications giant, which holds the personal information of millions of Kenyans and occupies a position of enormous trust in the country’s digital ecosystem, now faces uncomfortable questions about how it handles data breaches, how it engages with informants, and whether it is willing to sacrifice individuals who help expose security failures rather than address the systemic vulnerabilities that allowed 11.5 million customer records to leak in the first place.

This case arrives at a particularly sensitive moment for data privacy in Kenya.

With increasing digitization of financial services, government records, and personal information, the protection of citizen data has never been more critical.

The suggestion that a major telecommunications provider might not only suffer a massive breach but then potentially mishanage the response raises serious regulatory concerns.

For Kabugi, the personal cost has been enormous. From his perspective, he went from being a businessman who reported a data breach in good faith to a criminal defendant facing charges that could destroy his reputation and livelihood.

The Sh50,000 payment that he says was meant to facilitate his assistance in tracking down data thieves has become, in Safaricom’s telling, evidence of his participation in a criminal conspiracy.

As this case proceeds through the courts, it will test not just the competing factual claims of the parties involved, but also the willingness of Kenya’s justice system to unpack the complex dynamics between large corporations, data security, and the individuals who find themselves caught in between.

Whether Kabugi is a whistleblower who got burned or a opportunist who got caught may ultimately be decided by judges reviewing MPesa records, WhatsApp messages, and testimony from a cast of characters that includes telecommunications executives, alleged data thieves, and law enforcement officers.

But one thing is already clear: this scandal has exposed deep fault lines in how corporate Kenya handles its most valuable and sensitive asset in the digital age, the personal information of millions of ordinary citizens.

And for Benedict Kabugi Ndungu, the man who says he was paid Sh50,000 to help Safaricom before the company turned its legal firepower against him, the question that hangs over everything is brutally simple: was he used and discarded, or was he in it for himself all along?