Court Confirms Safaricom Customers Data Was Sold To Betting Companies In Seven-Year Cover-Up

A High Court judgment delivered in Nairobi on May 13, 2026 has confirmed what Safaricom spent seven years trying to suppress: that its own employees systematically extracted the personal data of 11.5 million subscribers and trafficked it to third-party betting companies for commercial gain, violating constitutional rights the corporation was legally bound to protect.

Justice Bahati Mwamuye of the Constitutional and Human Rights Division awarded KShs 900,000 each to eleven petitioners and ordered Safaricom to bear the full costs of the Petition, with interest running at court rates from the date of judgment until every last shilling is paid.

The ruling, delivered in HCCHRPET No. E095 of 2026, is the first time a Kenyan court has rendered a definitive constitutional finding against Safaricom over the 2018 to 2019 breach, one of the largest known violations of subscriber privacy on the African continent.

The total direct payout ordered stands at KShs 9.9 million, but the reputational, regulatory and litigation arithmetic now confronting East Africa’s most valuable listed company is of an entirely different magnitude.

“Privacy ceases to be an abstract constitutional promise and becomes a lived vulnerability. The Constitution does not permit such vulnerability to be normalised in the name of technological convenience or institutional denial.” — Justice Bahati Mwamuye

INSIDE THE SCHEME: ALGORITHMS, GOOGLE DRIVE AND NAMED BETTING FIRMS

The Court’s findings piece together a criminal enterprise that began no later than June 2018, nearly a year earlier than Safaricom had publicly acknowledged.

Simon Billy Kinuthia, who held the senior position of Manager, Networks and M-Pesa Systems Auditor, designed a bespoke algorithm to mine and collate subscriber data far beyond the scope of his authorised access.

Brian Wamatu Njoroge, Head of Regional Expansion at the telco, was his co-conspirator.

Together they moved the extracted dataset, covering identity particulars, full betting histories, M-Pesa transaction records, device IMEI numbers, geolocation data down to constituency level, passport and national identification numbers, and dual-SIM indicators, from Safaricom’s servers onto a Google Drive controlled by Kinuthia, which Safaricom has been unable to access to this day.

From that Google Drive, the data migrated onto personal laptops.

The DCI and Safaricom located one laptop; two remain unaccounted for and in circulation in the digital underground.

From those devices, the data was disseminated outward, repeatedly and for money, across a chain of intermediaries and direct commercial contacts within the betting sector.

The most damning evidence before Justice Mwamuye was WhatsApp forensic material that Safaricom itself introduced into the record as Annexure ATM-3, apparently expecting it to vindicate its ‘rogue employees’ defence.

It did the opposite.

The communications, spanning June 2018 to May 2019, name the recipients of subscriber data in explicit terms.

The judgment records the named entities and individuals as Andrew Aligula, Odibet, the Mburus, Charles, and the Mule.

The Court found these references to be neither incidental nor innocuous, describing them as evidence of a coordinated and organised pattern of external transmission and commercial exploitation of confidential subscriber information originating from within Safaricom’s own systems.

“The communications reveal what, prima facie, appears to be a deliberate enterprise involving the extraction, transfer, dissemination, and monetisation of subscriber data to various actors operating within the betting and gambling ecosystem.” — Judgment, Paragraph 68

The reference to ‘the Mburus’ in the forensic WhatsApp record, read alongside earlier reporting and civil filings, now carries a judicial imprimatur it previously lacked.

Odibets, trading through Kareco Holdings and which entered the Kenyan market in 2018, precisely when the data extraction was occurring, is similarly named. Odibets has not publicly responded to the allegations.

Earlier criminal proceedings had already established the factual skeleton.

Kinuthia and Njoroge were charged in Criminal Case No. 962 of 2019 at Milimani Chief Magistrate’s Court with computer fraud, unlawful copying and transfer of subscriber data, and demanding KShs 300 million from Safaricom by menace.

The initial destination for the dataset was Pevans East Africa, which trades as SportPesa.

That deal collapsed when a Safaricom executive could not guarantee a continuous flow of data. The data was then shopped more broadly, which is how it reached multiple betting companies.

HOW SAFARICOM TRIED AND FAILED TO BURY THE CASE

Safaricom’s legal strategy across six years of litigation has been consistent: deny the scale, discredit the witnesses, invoke parallel proceedings, and blame individuals rather than the institution.

Each strand of that strategy was forensically dismantled in the judgment.

The company argued that the Petition was an abuse of court process because parallel criminal and civil proceedings already addressed the same facts, citing HCCPET No. 247 of 2019, HCC No. 194 of 2019, and Criminal Cases No. 962 and 979 of 2019.

Justice Mwamuye applied a three-part test covering identity of parties, substantial identity of issues, and risk of inconsistent outcomes, and rejected the objection comprehensively.

The Court pointed out that the Petitioners had in fact been directed by a previous court to file a separate constitutional petition, having earlier sought joinder to the existing civil suit, and that Safaricom had opposed that joinder.

The judge held that it was legally untenable for Safaricom to resist consolidation and then attack the resulting separate proceedings as duplicative.

The company challenged the affidavit of Benedict Kabugi, the whistleblower-turned-accused who had alerted Safaricom to the breach in May 2019 only to be arrested and charged with demanding money with menaces.

Safaricom argued that Kabugi’s affidavit was inadmissible, procedurally irregular and self-serving.

The Court admitted it but calibrated its weight carefully, ruling it could be relied upon only to the extent corroborated by independent material.

Given that Safaricom’s own annexures and forensic records substantially corroborated Kabugi’s account, the practical effect of that qualification was limited.

Most critically, Safaricom rested its substantive defence on the UK Supreme Court decision in WM Morrison Supermarkets PLC v Various Claimants, which held that an employer is not vicariously liable in common law tort for rogue employee conduct unconnected to their assigned functions.

Justice Mwamuye took that authority seriously but ultimately set it aside as inapplicable.

The Court held that the present dispute was not a common law tort claim but a constitutional petition grounded in Articles 28, 31 and 46 of the Constitution of Kenya, which impose affirmative, non-delegable obligations on data controllers that survive the employment classification of any individual wrongdoer.

“Liability arises not merely from employment categorisation, but from institutional failure to secure constitutionally protected personal information.” — Judgment, Paragraph 115

THE DATA THAT WAS SOLD: EVERY INTIMATE DETAIL

The inventory of extracted subscriber data as confirmed in court documents and the judgment is extraordinary in its breadth and intimacy.

Every person in the 11.5 million cohort had the following information trafficked without their knowledge or consent: full legal names, mobile numbers, gender, date of birth, nationality, national identity card number, passport number, military identity card number, alien card number where applicable, certificate of incorporation number where applicable, the specific betting platforms on which they were registered, their complete gambling transaction histories including total amounts staked, the number of pay-in transactions, the date of their most recent bet, the M-Pesa financial records funding their betting activity, the make, model and IMEI number of their handset, the network generation used, whether they operated a dual-SIM device, and their precise geolocation including area, region and country.

This was not raw data: Kinuthia’s algorithm was specifically designed to collate, analyse and package this information in a form optimised for commercial exploitation by betting companies.

The dataset was, in the language of the judgment, a goldmine for targeted marketing, behavioural profiling and identity exploitation.

The Court further noted that Safaricom’s own financial disclosures during the breach period showed rising M-Pesa transaction volumes attributable to increased betting activity, a commercial nexus the Petitioners argued was causally connected to the disseminated data enabling precisely targeted promotions.

THE CONSTITUTIONAL FINDINGS AND WHAT THEY MEAN

Justice Mwamuye made clear and unequivocal constitutional findings on three provisions.

On Article 31, he held that the unauthorised exposure of personal information within a system entrusted with its protection constitutes an interference with the right to privacy, regardless of whether each individual subscriber could prove the precise extraction of their specific records.

On Article 28, he held that the dissemination of sensitive behavioural and financial data, including betting patterns and transactional histories, inherently engages the dignity interests of affected individuals, and that unlawful intrusion into personal informational space constitutes a violation of dignity even absent physical harm.

On Article 46, he held that a service provider processing highly sensitive consumer data at scale, which fails to ensure adequate safeguards, renders its service deficient within the meaning of constitutional consumer protection standards.

The Court rejected Safaricom’s argument that requiring each of the 11.5 million affected subscribers to prove the precise extraction of their individual data was a legitimate evidential standard.

It held that such a threshold would impose an impossible burden on data subjects while simultaneously insulating data controllers from constitutional accountability by virtue of their exclusive possession of the underlying records.

Once a systemic breach affecting a defined class of subscribers is established, constitutional harm may be inferred from the nature, scale and scope of the compromise itself.

THE DAMAGES AWARDED AND WHAT COMES NEXT

The Court awarded KShs 900,000 to each of the eleven named Petitioners, totalling KShs 9.9 million, declining to grant the full KShs 1.5 million per person that the Petitioners had sought.

The judgment characterised the award as vindicatory rather than punitive, designed to affirm the sanctity of informational privacy under Article 31 and underscore the dignity interest under Article 28.

Interest runs at court rates from May 13, 2026 until payment in full. Costs were awarded to the Petitioners without qualification.

The more consequential question is what follows. HCCPET No. 247 of 2019, the separate constitutional petition filed by Kabugi representing himself and the full class of approximately 11.5 million affected subscribers, remains pending, having been stayed pending the criminal cases.

The criminal proceedings against Kinuthia and Njoroge, now in their seventh year, remain unresolved.

The High Court judgment in E095 of 2026, while not binding precedent on those proceedings, has now created a constitutional record of systemic data governance failure that will be extremely difficult for Safaricom to unpick in any future forum.

Benedict Kabugi’s original class petition sought KShs 1.5 million per subscriber across 11.5 million affected persons, a total exposure of KShs 17.25 trillion.

The mathematical landscape of Kenya’s most consequential data privacy litigation has now been permanently altered by Justice Mwamuye’s ruling, which establishes both the fact of systemic violation and the constitutional basis for mass compensatory relief.

The regulatory exposure through the Office of the Data Protection Commissioner adds a further dimension: the Commissioner has broad powers to investigate, audit and sanction data controllers found to have breached data protection obligations, and the High Court’s constitutional finding provides the strongest possible foundation for such intervention.

“Where personal data of millions is exposed, privacy ceases to be an abstract constitutional promise and becomes a lived vulnerability.” — Justice Bahati Mwamuye

A RECKONING SEVEN YEARS IN THE MAKING

Safaricom has long positioned itself as a responsible corporate citizen, the engine of Kenya’s digital economy, and a model for data governance in Africa. Its M-Pesa platform processes a majority of Kenya’s digital financial transactions.

Its subscriber base constitutes nearly a quarter of Kenya’s population.

The intimacy of the data it holds, covering how Kenyans move, how they earn, how they borrow, and how they spend, is without parallel on the continent.

The High Court’s judgment does not merely impose a financial penalty. It strips away the institutional cover that Safaricom spent seven years constructing around a known, documented, internally admitted data catastrophe.

The company knew in May 2019 that 11.5 million subscriber records had been exfiltrated by its own senior managers, that those records were on unrecoverable personal laptops, and that at least some of that data had reached multiple betting companies.

It reported the matter to the DCI, pursued civil injunctions and prosecuted its former employees, all while maintaining in every public forum that subscriber data remained safe.

Justice Mwamuye has now found, on the record compiled by Safaricom itself, that the breach was sustained, organised, and commercially exploitative. The named betting companies including Odibets and others referenced in the forensic WhatsApp record, now face the same constitutional and regulatory scrutiny that the High Court has trained on Safaricom.

The question of whether they knowingly purchased stolen subscriber data, and what that means for their operating licences, tax compliance, and liability to those same 11.5 million subscribers, is a question Kenya’s regulators and courts are no longer in a position to ignore.

Safaricom’s response to this judgment will define its governance posture for a generation.

It can appeal, delay and litigate further, extending the agony of 11.5 million people who never consented to having their most personal information sold to the highest bidder.

Or it can acknowledge what its own documents proved, settle comprehensively, and begin the long and costly work of rebuilding the constitutional trust that Justice Mwamuye has found it destroyed.