THE CLAIM

A intelligence report circulating among sources close to ongoing litigation over Safaricom’s historic subscriber data breach alleges that Ronald Karauri, the SportPesa chief executive who in 2022 became the first independent candidate ever elected to Parliament from a Nairobi constituency, privately purchased a stolen cache of subscriber data in 2019 and later repurposed it as an electioneering weapon. The document puts the price at more than Sh25 million and names as the source a familiar figure in Kenya’s data-breach saga, Benedict Kabugi Ndungu, the man at the centre of the original 2019 Safaricom leak.

The allegation is serious, specific, and, on the evidence available to this publication, unproven. No court has made a finding that Karauri completed a purchase of the data. No criminal charge names him as a buyer. The dossier itself, as this publication understands it, is a compilation of claims rather than a verified judicial record, and its central transaction narrative should be read as an allegation, not an established fact. What can be established, and what makes the allegation impossible to dismiss out of hand, is the extraordinary paper trail the underlying breach has already produced in Kenyan courts, and the very narrow margin by which Karauri won his seat three years later.

THE 2019 BREACH, REVISITED

The origin story is not in dispute. Sometime around May 2019, Safaricom internal systems were compromised and the personal, financial and gambling profiles of an estimated 11.5 million subscribers were extracted by insiders and shopped to outside parties. Court records from the ensuing criminal and civil proceedings, including reporting this publication has previously carried, describe how Benedict Kabugi Ndungu was drawn into the scheme by an associate identified in filings as Mark, who wanted a direct line into Kenya’s betting industry. Kabugi, by his own account, tested the authenticity of the sample data by entering his own Safaricom credentials and finding his personal betting history staring back at him.

What followed, according to those same court records, were two in-person meetings between the sellers and Sportpesa’s leadership: the first at Club Milan in Westlands on June 3, 2019, and the second at ABC Place four days later, the same meeting at which Kabugi was arrested. Court filings quote Safaricom’s own account of the episode, which insists that a prospective deal between the sellers and Sportpesa fell apart because the sellers could not guarantee an uninterrupted flow of fresh data going forward, not because Sportpesa refused the data on principle.

That distinction matters enormously to the dossier now in circulation. If the deal genuinely collapsed in 2019 for lack of a continuous supply, as Safaricom’s own civil pleadings maintain, then the intelligence report’s claim of a completed Sh25 million transaction requires either a second, separate transaction the courts never heard about, or a fundamental rewriting of what actually happened at ABC Place that week. This publication has not been able to independently verify which version is correct.

“A deal with a betting firm fell through because continuous data flow could not be guaranteed.”

— Court pleadings on the 2019 Safaricom breach, as previously reported

WHAT THE HIGH COURT ACTUALLY FOUND

The most significant judicial development in this saga to date is Constitutional Petition No. E095 of 2026, in which Justice Bahati Mwamuye of the High Court’s Constitutional and Human Rights Division delivered a landmark finding against Safaricom in May 2026. The court held that Safaricom bore constitutional liability for the 2018 to 2019 breach, rejecting the telecom’s long-standing defence that rogue employees acting alone should absorb all responsibility. Eleven petitioners were awarded Sh900,000 each, a modest sum in isolation, but one that sits atop a far larger and more explosive evidentiary record.

That record includes WhatsApp forensic material that Safaricom itself placed before the court, apparently expecting it to support its defence. It did the opposite. The communications, spanning June 2018 to May 2019, named a set of external recipients or intermediaries the court described as evidence of a coordinated pattern of data transmission and monetisation.

That omission cuts in two directions. It could mean, as Karauri’s defenders would likely argue, that the completed commercial exploitation of the breach flowed to entirely different actors, and that Sportpesa’s only brush with the data was the failed 2019 approach that both sides agree came to nothing. Or it could mean, as the dossier’s authors would likely argue, that whatever transaction Karauri is alleged to have concluded was structured deliberately to leave no trace in the communications Safaricom chose to disclose, a separate and more discreet channel than the one that collapsed in public view. The court in E095 of 2026 was not asked to rule on Karauri’s conduct and did not do so.

A SEAT WON BY 1,962 VOTES

Whatever the truth of the transaction, the political stakes the dossier describes are real and quantifiable. Karauri contested the Kasarani parliamentary seat in August 2022 as an independent candidate, a route he took only after missing out on the Jubilee Party nomination that April. He won with 32,406 votes against 30,444 for his closest challenger, John Njoroge, and 24,790 for the incumbent, Mercy Gakuya of Jubilee. The margin of victory over second place was 1,962 votes, in a constituency of 155,405 registered voters where turnout reached only 91,774. Karauri went on to describe himself, correctly, as the first independent candidate ever elected to Parliament from Nairobi County.

It is precisely that margin, tight enough to be moved by a few thousand well-placed persuasions, that gives the micro-targeting allegation its force. The dossier’s account of the campaign’s methodology describes a level of granularity that ordinary Kenyan campaigns, reliant on rallies, posters and generic bulk SMS, do not typically possess: ward-by-ward and estate-by-estate mapping of the Kasarani electorate, cross-referencing of betting and financial transaction patterns to flag voters susceptible to particular economic promises, and personalised text messages that greeted residents by name and referenced their own neighbourhoods. If even a fraction of that description is accurate, it would represent one of the more sophisticated and legally fraught uses of stolen personal data in a Kenyan election to date.

This publication stresses that the specific mechanics described, the predictive modelling, the psychographic SMS targeting, the analytical infrastructure allegedly controlled by Karauri’s campaign team, originate from the dossier itself and have not been independently corroborated through court filings, IEBC campaign finance disclosures, or on-the-record technical sources. They are presented here as serious, specific allegations warranting further scrutiny, not as established fact.

THE MAN AT THE CENTRE, AGAIN

Karauri’s public life has rarely stayed out of the headlines since that 2022 win. The Kasarani MP and Sportpesa chief executive has weathered a running battle with the Kenya Revenue Authority, which at one point demanded billions in back taxes from Sportpesa and forced the company to deport foreign directors and briefly shutter local operations. He has more recently found himself defending his personal life against a former partner’s public allegations, exchanging a very public Sh10 million dare with blogger Edgar Obare over recordings the blogger never actually leaked, and facing accusations from influencers he allegedly hired to manage that controversy that he never paid them. None of that personal drama bears directly on the data allegations. It does, however, describe a public figure accustomed to controversy breaking around him and to responding by controlling the narrative rather than litigating the underlying claim, a pattern legal observers following the Obare episode have already flagged.

Kabugi Ndungu, for his part, has spent the years since 2019 positioned simultaneously as whistleblower and litigant, having gone to Safaricom’s own civil pleadings accused of trying to “convert himself into a whistleblower” only after the original sale attempt fell apart, while separately suing Safaricom for Sh100 million over what he describes as the invasion of his own privacy as a data subject. A man who occupies both roles at once, seller and victim, whistleblower and litigant, is not an uncomplicated source, and any dossier built substantially on his account needs to be read with that duality in mind.

WHAT THIS MEANS

Kenya’s High Court has now formally established, through E095 of 2026, that Safaricom’s subscriber data was systematically extracted and trafficked to commercial actors over an extended period, and that the telecom’s own internal governance failures made that trafficking possible. That finding alone reframes the Karauri allegation from a fringe rumour into a plausible extension of a judicially confirmed pattern. What the court has not established, and what this dossier alone cannot establish, is that Karauri specifically was a buyer, that Sh25 million specifically changed hands, or that any data he acquired specifically shaped the 1,962-vote margin that put him in Parliament.

Kenya Insights has sought comment from Ronald Karauri and from Sportpesa’s corporate office regarding the specific allegations contained in the dossier. Neither had responded by the time of publication. This publication will update this story with any response received, and will continue to pursue the underlying question the courts have so far left open: who, precisely, did buy the data Safaricom lost in 2019, and what did they do with it.

This is a developing investigation. Kenya Insights will continue reporting on Constitutional Petition E095 of 2026 and related proceedings as they progress.