Moldovan Firm Deletes Leaked Kenyan Business Data Amid Investigation

A Moldovan business intelligence firm, B2bhint, has taken down sensitive Kenyan business data from its website as Kenya’s data protection watchdog probes a major breach that could lead to fines and compensation claims against the country’s Business Registration Service (BRS).

The data leak, which exposed business dealings of prominent Kenyan figures—including President William Ruto’s family, the Kenyatta family, and other influential investors—sparked concerns over the security of Kenya’s corporate registry. The breach reportedly made personal details such as residential addresses, phone numbers, and beneficial ownership information available for sale.

B2bhint Pulls Data, Cites Legal Risks

In response to the growing scrutiny, B2bhint said that it opted to remove the Kenyan data to avoid legal liability. The firm insisted that neither the BRS nor any Kenyan law enforcement agency had contacted it following the breach.

“We have decided to temporarily remove all Kenyan company data from our website while we conduct further research to determine what information is permissible to publish,” the company said in a statement.

However, B2bhint still hosts business data from other jurisdictions, including the UK, Dubai, Europe, and multiple U.S. states.

Data Watchdog Launches Investigation

Kenya’s Office of the Data Protection Commissioner (ODPC) has officially launched an investigation into the breach, focusing on whether the BRS failed to protect sensitive corporate data. If found liable, the State agency could face penalties of up to Ksh 5 million under the Data Protection Act of 2019.

“The probe might take some time, but ultimately, we’ll publish a determination which will say who is liable and whether or not affected parties will need to be compensated,” an ODPC spokesperson stated.

Beyond regulatory fines, the BRS could face hefty compensation claims from high-profile individuals whose data was exposed. Under Kenya’s data protection laws, affected individuals can sue for damages, potentially resulting in significant payouts.

Breach Sparks Speculation Over Ransom Demands

The breach has also fueled speculation about a possible ransom demand. Reports indicate that B2bhint was selling Kenyan business data in packages worth up to Ksh 24 million, with individual phone numbers priced as low as Ksh 2. A monthly subscription offering access to beneficial ownership details was reportedly going for $350 (Ksh 45,226).

B2bhint denied hacking the data, instead blaming weak cybersecurity measures at the BRS for making it easily accessible.

Scramble to Contain Damage

Since the breach came to light last Friday, Kenyan authorities have been working to contain the fallout. The leaked data provided a rare public glimpse into the financial networks of Kenya’s wealthiest families, revealing information typically reserved for government agencies and select investors.

BRS Director-General Kenneth Gathuma has not responded to requests for comment on the breach.

Meanwhile, international cases highlight the costly consequences of such incidents. In January 2023, U.S. telecom giant AT&T agreed to pay $13 million (Ksh 1.67 billion) to settle an investigation into a data breach affecting 8.9 million customers.

It remains unclear whether B2bhint will reinstate the Kenyan data, but the incident has raised serious concerns about the security of business records and the potential misuse of sensitive corporate information.