Part I: Inside Safaricom’s Massive Data Breach On Gamblers Data As They Face More Lawsuits In Europe

When Safaricom employees Simon Billy Kinuthia and Brian Njoroge were formally  charged with demanding Sh300 million from Safaricom and interfering with the Safaricom data, one of The Africa’s leading telecos could’ve drilled a nail in their troubles coffin.

According to a petition filled by a gambler Ben Kabugi, the charging of the two ICT employees was a confirmation that the Safaricom data was accessed, messed and interfered with.

On May 18, Kabugi was approached by an unknown individual, a Mr Mark, who had in his possession Safaricom data estimated at 11,500,000 Safaricom subscribers, the data which was exclusively for gamblers using Safaricom lines.

According to the said data, the 11,500,000 subscribers had used their Safaricom mobile phones to gamble on various betting platforms registered in Kenya. The data from the individual includes all the personal information of all the subscribers who gambles countrywide in different platforms but uses Safaricom lines.

It also has all the details of betting platforms of which the 11,500,000 subscribers gambles with, the amounts of money each subscriber stakes and the location of each gambler endangering and exposing them.

The petitioner upon meeting the stranger with Safaricom data reported the matter at various police station within the country as a precaution. On 20th May, he reported the matter to Parklands DCI where a detective he identifies as Mr. Njoroge handled the case, he even gave him a sample of 10,000 data to show the open breach.

Mr. Njoroge would then refer Ben to a Mr. Rabala who’s attached to the DCI unit at Safaricom for further action. According to Kabugi, he was advised by Mr. Rabala to continue conversation with the Mr Mark as they laid trap to get him.

Rabala had promised to get back to Ben by 21st May, however, he didn’t keep his words, worried that he didn’t make any official statement, he went to Central Police where he recorded a statement with the DCI under the OB No. 80 of 22nd May and they promised to do a follow up.

Nothing much was forthcoming from the investigating authorities and according to documents seen by Kenya Insights, Ben continued to stay in touch with Mark who was the source and didn’t raise and suspicions as instructed by Mr Rabala.

Days later on seeing there was no developments, the petitioner personally approached a Mr Lopokoiyit who’s the Financial Director of services at Safaricom and presented him with all the information that he had about the data breach.

Mr. Lopokoiyit then introduced the petitioner to a Mr. Patrick Kinoti. Meanwhile, Kabugi instructed his lawyers at Prof. Albert Muma & Co advocates and wrote a formal letter to Safaricom on 30th May.

According to court documents seen by Kenya Insights, Mr. Kinoti held a meeting with Kabugi in which he says he was offered Sh3,000,000 by the respondent for infringing his privacy rights. He declined asking for Sh100,000,000 and as a goodwill sign, Ben says he received Sh50,000 as an upfront payment from Mr Kinoti whom he says is a Safaricom employee, this evidence is in court.

Mr. Kinoti asked Ben for time to consult on the matter but asked him to keep conversing with Mr Mark, the source of the data without raising any red flags.

Mark had asked Ben to organize for a meeting with Sportpesa and to keep his hand of the bargain and not to raise any red flags as asked he organized for the meeting. Not much was coming from the investigating end and he didn’t want to lose Mark’ trust.

On 3rd June, Ben orchestrated a meeting with Mark and Sportpesa’s Ronald Karauri, while he doesn’t say the discussions held, he however, says Mr. Kinoti was fully aware of this meeting. Mark also introduced Ben to a Mr. Charles who was his partner.

Shockingly on June 6, 2019, he was arrested and taken to DCI where and was forced to write a statement on data issues. Kabugi said investigation progressed well, until a team from Safaricom joined the probe when he was detained at Gigiri Police Station, Nairobi County, taken to Milimani Law Courts before being charged.

Ben says that regardless, he cooperated with the police and laid a stint operation that led to the arrest of Mr Mark and Charles. During the operation, police confiscated the laptops containing the 11.5M data that was in case.

The arrests led police to the main sources of the illegal data and in line, Brian Njoroge and Billy Kinuthia both Safaricom employees with the latter being the Head Of Regional Expansion- Mobile Money arrested and charged in courts for the data breach on 10th June. Ben remains a witness in this case.

What puzzles Ben according to the petition is as why  Mr. Charles and Mark were never charged and instead listed as witnesses in the case. Ben insists the two were never known to him until 18th May when they approached him.

Ben says in the court documents that he was further arrested on 13th and 19th June in what he alleges is desperate measures by the respondent to push him to soften his stance on the case. He goes further to accuse the respondent for causing him trauma amongst other including damaging his reputation. He’s seeking compensation separately on this.

When Kenya Insights highlighted on the Sh115Trillion suit on Safaricom two months ago, we’ve actively been receiving random mails from curious local gamblers asking for more information on the breach with intentions and questions on enjoining the petition and more on how they can ascertain their data was breached, and if sold to third parties as the petition alleged. mails from unexpected quarters.

It now emerges that Safaricom’s troubles are going international with two possible lawsuits likely to be lodged in Paris and London. According to a London based publication, two new lawsuits are preparing to be filed sometime in the next couple of weeks in both London and Paris. They are being introduced based on the General Data Protection Regulation (GDPR) of the European Union (EU), and assert that the data breach affected over 500 European citizens that reside in Kenya.

Since the GDPR specifies how data of EU citizens has to be protected, even beyond EU borders, the lawsuits allege that Safaricom can be held accountable.

According to Kabugi, the case is still dragging along in court and, late last week, he and his legal team requested from the presiding judge that they be able to present the actual data as proof that Safaricom was compromised. The information has already been handed over and is now being reviewed for its authenticity. How the court rules on the legitimacy of the data could play a major role in how the London and Paris lawsuits play out.

Safaricom may be trying to use its status as one the largest telecommunications company on the continent to thwart any negative legal backlash related to the cases. Kabugi asserts that it has been pressuring media outlets such as the Nation and Standard media groups to avoid the subject, threatening them with pull out of advertising relationships that would cause them to lose major sources of income.

Safaricom is a subsidiary company of UK’s Vodafone. In this petition, Kabugi wants the court to compel Safaricom to pay every customer whose data was breached with Sh10,000,000 and himself the petitioner Sh100,000,000 as the sole petitioner away from the alleged harassment and damage in his reputation.

If anything, Safaricom shouldn’t sit easy given a similar case in which Equifax was slapped with a $650M settlement over the largest data breach. The credit bureau Equifax was told pay about $650 million and perhaps much more to resolve most claims stemming from a 2017 data breach that exposed sensitive information on more than 147 million consumers and demonstrated how little control Americans have over their personal data.