Major Data Leak Hits Business Registration Services in Cyber-Attack Exposes Sensitive Company Information

The Business Registration Services (BRS) has suffered a significant data breach following a cyber-attack, potentially exposing sensitive information about private companies to the public.

The breach, which occurred on the night of Friday, January 31, has raised serious concerns about the security of confidential data held by government agencies.

A source close to the matter confirmed the breach, revealing that BRS executives were locked in crisis meetings for most of Saturday, February 1, to address the fallout. The source, who spoke on condition of anonymity due to restrictions on speaking to the media, suggested that the breach may have involved an internal actor.

“We still can’t say who is behind the breach, but it looks like the intent is sabotage because the nature of the breach suggests an internal actor,” the source said.

Data Exposed, Dark Web Links Confirmed

The full extent of the stolen data remains unclear, but there are confirmed reports that the compromised information is being sold on the dark web, a hidden part of the internet often used for illegal activities.

Kenya Insights has verified that the leaked data, hosted on a dark web site, includes records of all registered Kenyan companies dating back to 1967. The dump contains confidential information such as the names and contact details of company owners, directors, and beneficial owners.

Data-Rich Target

The BRS is one of the most data-rich entities within the Kenyan government, holding critical information on all registered companies, including their owners, beneficial owners, and directors. This data is typically accessible only through a paid service, but the breach has potentially made it available to anyone, bypassing the usual safeguards.

The agency’s online database, which allows the public to access such information, is currently down and inaccessible. This has raised suspicions that the attackers may have deliberately taken the system offline as part of their operation.

Additionally, the Office of the Official Receiver, which operates under the BRS, maintains records of companies in financial distress. It is feared that this sensitive data may also have been compromised in the breach.

Motive Remains Unclear

While the motive behind the attack is still unknown, sources indicate that authorities have ruled out ransomware as a likely cause. Ransomware attacks typically involve hackers demanding payment in exchange for restoring access to stolen data. In this case, the breach appears to have been aimed at exposing sensitive information rather than financial extortion.

Legal and Regulatory Implications

Under Kenya’s data protection laws, organizations are required to assess the extent of any data breach, notify affected parties, and take steps to contain the situation. The BRS is expected to issue a formal statement once the full scope of the breach is understood.

This incident marks the first major data breach involving a government entity in over a year, following a cyberattack on Kenya Airways in late 2023, which resulted in the loss of significant customer data.

As investigations continue, concerns are growing over the potential misuse of the stolen data, particularly given its sensitive nature. The breach underscores the urgent need for enhanced cybersecurity measures within government agencies to protect against increasingly sophisticated cyber threats.

The BRS has yet to announce a timeline for restoring its online services or providing further updates to the public. Meanwhile, affected companies and individuals are advised to remain vigilant and monitor for any unauthorized use of their information.

This developing story will be updated as more details emerge.