Connect with us

Investigations

Part II: Inside Safaricom’s Massive Data Breach: How The Data Was Stolen And Concerns On Data Security

Published

on

On the 18th May, Benedict Kabugi Met his friend Jimmy At Saape Lounge along Kiambu Road. Unknown to him, he was walking into what would bring more troubles in his life.

A familiar friend, Benedict thought it was one of the very many usual catch up meetings. Shock on him, when he arrived, Jimmy had unfamiliar company, Mark.

A computer geek, Mark had a pricy commodity that would be beneficial to all; Safaricom internal data on all gamblers in Kenya. In total, 11.5M authentic data that would be sold.

Mark wanted a direct communication and link to Sportpesa, by then the leading betting firm in Kenya. In his head, this data would bring more business to the firm given it held the basic data of all gamblers in Kenya Using Safaricom. It was a rich source, so he thought.

Advertisement

Benedict being a well connected fellow in Nairobi, was the perfect person to do the link up, that’s according to his friend Jimmy who linked him and Mark up. 

Mark wanted a meeting with Sportpesa’s Chairman Paul Ndungu and the CEO Ronald Karauri so that’s how Benedict came into the picture as he was the reliable one to do the link up.

In the meeting, Mark gave a sample of the data to ascertain how genuinely it was. He wanted to sell the data to Sportpesa. Benedict curious to confirm the authenticity of the data and being a Safaricom subscriber and gambler, entered his credentials and shock on him, his gambling history and data was all captured in the cache and that’s when his curiosity hit the sky.

They parted ways with the promise that Benedict would arrange for a meeting with Sportpesa so this data would be sold. That was on a Saturday. On Sunday, Mark was blowing up Ben’s phone eager to know the developments, this was a rich resource and huge money in the offing.

However, Benedict felt like held so much in his hands and thought the data in his possession would put him at a greater risk so on Monday 20th he reported to Parklands DCIO where he was handled by a Mr. Njoroge.

Advertisement

He informed him about the data breach, Mr. Njoroge then called Mr. Rabala a DCI detective attached to Safaricom. By then, he was in court over a matter, he promised to get back. After exchanging contacts, Benedict would then be talking to Mr. Rabala on this matter.

Using WhatsApp, Benedict shared the sample of the data that he had received from Mark with Mr. Rabala. Apparently, the detective went mute for about two weeks after the initial communication with Ben and this where he took yet another step.

Because it was taking too long and Mark was asserting pressure for the Sportpesa meeting, Benedict then contacted a Mr Lokopoyit who’s the director of financial services at Safaricom. He sent him the 2,000 data sample that Mark had initially sent to him.

Mr. Lokopoyit who was engaged elsewhere then delegated a Mr. Patrick Kinoti who’s also a senior manager at Safaricom to handle the data matter with Benedict. At that point, they deemed it a serious matter.

When the two finally met, Kinoti had one key issue; how he got hold of the privileged data that only accessible to Safaricom employees and how to get the insiders who leaked this data. Kinoti in his statement said he verified the data and found it to be authentic.

Advertisement
Related Content:  Exposed: How SportPesa Conspired With A UK Firm In A Multi-Billion Tax Evasion Scheme

In the meeting Kinoti allegedly told Benedict that there’s a fund for useful intelligence like that of data that he gave so he proposed a Sh3,000,000 reward which Benedict boldly declined.

From the WhatsApp and texts records that were presented in court and Kenya Insights has seen, there was an active negotiation between the two parties to have Benedict rewarded for the intelligence and also as a compensation of his data as a gambler having been breached. The negotiations came down to a Sh.100,000,000 stop.

The meeting ended with Kinoti saying he had to make further consultations and would get back to Benedict. He then sent him a ‘weekend token’ of Sh50,000 on Mpesa. Text Evidence of this transaction was presented in court in court and Kenya Insights has seen the same.

They drew a deal, Benedict had to perfect the plan to have the insiders apprehended, he had the Diamond, Mark who had the data, would smoothly lay the trap to the boys and eventually get to the sources.

So they agreed that he ‘keeps the boys warm’ according to one of his texts to Ben that is also before the court and seen by Kenya Insights. By this, Benedict had to keep with the Sportpesa meeting. He orchestrated the meeting with Sportpesa CEO Ronald Karauri. There were 2 meetings with Ronald Karauri, the first one was at club Milan in Westlands on 3rd June and the second at ABC place on 7th the second and last meeting and that’s the day Benedict was arrested. 

Advertisement

Charles, the former employee of Safaricom had been sent by Mark to represent him in the meeting where he showed Karauri the sample of data and made it clear he wanted to sell it to him.

Even though Kenya Insights has not independently verified this since we’re not in hold of the said data. According to court documents, the database had the following information of all the gamblers:-

(i) Mpesa Detail;

(ii) Total bet amount;

(iii) Area/region/county;

Advertisement

(iv) First name, middle name, surname;

(v) Gender;

(vi) Date of birth;

(vii) Nationality;

(viii) Document type (National ID Card/Refugee ID);

Advertisement

(ix) Debit Party;

(x) Number of Companies;

(xi) Number of pay ins;

(xii) Latest bet date;

(xiii) Earliest bet date;

Advertisement

(xiv) Latest pay in to;

(xv) MSISDN-IMEI;

(xvi) Handset name;

(xvii) Manufacturer;

(xviii) Indicator 2G/3G;

Advertisement

(xix) Dual Sim and SFC class.

(i) Mobile Number;

(ii) First name, middle name, surname;

   3|Page

(iii) Gender;

Advertisement

(iv) Date of birth;

(v) Document type (National Identity Card/passport number/certificate of registration);

(vi) Latest area, region, county, locality.

This was a rich data for any betting firm which they’d easily use to target and market to gamblers. While the negotiations with Sportpesa was ongoing, Kinoti was also putting up His bargain.

In a text, Kinoti told Benedict that the Sh100M Bounty or Intel compensation that he had asked for was way above the budget. He then asked him ‘what would reasonably make you help us’ which sounds like a negotiating language. Kinoti made it clear that they wanted help to bring to an end the data issue.

Advertisement
Related Content:  Chinese Billionaire Jack Ma Threatens To Withdraw Kenya’s Covid-19 Support Over Aid Corruption Link

All this time, Kinoti was aware of the Sportpesa meeting and told Benedict to keep in touch with the boys. On 6th June, DCI detectives which Benedict says are attached to Safaricom, apprehended him and he was taken to DCI HQ, recorded a statement and taken to Gigiri Police where he spent the night.

Benedict who told the court that his arrest was illegal and irregular, was released the next day after making an agreement to help the police lay an net and nab the insiders who leaked the data. He told the court that he acted in good faith by reporting the breach to all relevant authorities and that in no way he acted in bad faith. He believes the police were used to harass and intimidate him. He was released without any charge.

He then worked with the detectives in a sting operation that led to the arrest of Mark and Charles on the 7th June. In the operation, the police confiscated the laptop that held the 11.5M data of Safaricom subscribers.

Mark and Charles then led police to the main sources of the data. Brian Wamatu and Simon Billy Kinuthia who’re Safaricom employees were waiting nearby for their share of the loot when the cops pounced and arrested them.

On 10th June, the two employees were charged in court for stealing data from Safaricom and giving it to illegal third part, Charles. Charge sheet also says that with menaces, they demanded Sh300,000,000 from Safaricom within intent to steal. Benedict was placed as a witness in this case.

Advertisement

An interesting statement came from Charles who said he was a Safaricom’s former employee. In his statement a lot of data concerns arises:-

He indicated that he worked with Brian Wamatu Njoroge (one of the Safaricom’s employees charged in the criminal case) and it is Brian who told him that there was a comprehensive data base of betting in the market already in use by some companies;

Charles confirmed that Brian introduced him to Billy Kinuthia (the second of the Safaricom’s employee charged in the criminal case) with Billy Kinuthia indicating that he would arrange for samples of the data;

Charles confirmed how he would receive an anonymous google drive link for an account named “root kitting” and instructions to download. He explains how this became the standard procedure an indication that data was illegally accessed severally.

He even goes further to indicate that he attended an official meeting at the Safaricom’s offices in 2017 whilst working for a company he refers to as “Mtandao” with the sole agenda for the meeting being to discuss how Safaricom could monetize data from its M-pesa platform and customer data base.

Advertisement

He confirms receiving a sample through the now “normal channels” and receiving the google drive links for download and which data they were informed at the time of the arrest, had been irregularly obtained from Safaricom.

According to his further affidavit, Benedict raised concerns on the data safety solely from Charles statement. “the above statement is extremely worrying and a proper reflection of the fear pertaining to data breach and the cavalier manner in which subscribers’ data is dealt with by employees of the Respondent as well as the Respondent itself.”

Related Content:  Alarm Raised Over Steady Looting at East Africa Development Bank By DG Vivienne Yeda Apopo

He argued that Safaricom has an obligation to its subscribers to protect their data and under no circumstances should it’s agents, employees or servants be able to access let alone copy the data and forward the same to outside parties.

He went further to say that there is clearly a failing on the part of Safaricom and their systems. Despite the incriminating statement from Charles, there has been no charge proffered against him to date.

The issue of data protection is one which the world is grappling with as evidenced by:-

Advertisement

(i) The fine of 183,000,000 pounds issued to British Airways as a result of hackers who stole client data;

(ii) The 5,000,000,000 dollars settlement to be paid by Facebook as a result of various data breach incidents.

Through his lawyer Prof Albert Mumma, Benedict wrote a demand letter to Safaricom for over breach of his privacy and malicious arrests that he insists was played by Safaricom’s attached detectives. In reply, Safaricom argued that letter was filed with malice and said he was being used by a criminal enterprise. They instructed him to report the matter to police as they’d not use mere claim of being in possession of data to write anything home.

Funny how in their letter, Safaricom conveniently left out the parts where Benedict had already reported the matter to DCIO Parklands and even their own Mr. Rabala whom they were in direct contact with and he even shared the sample of the breached data for verification. All this time he was playing ball with Safaricom to help them get the insiders leaking their privileged data.

A second demand letter on the infringements of his rights through his lawyer Maina and Maina Advocates would then land him in trouble. Benedict was arrested and charged in court on 10th June for allegedly demanding with menace Sh300M with intent to steal from Safaricom. Patrick Kinoti is the complainant in this criminal case.

Advertisement

Benedict who’s the sole petitioner in the class suit, wanted a court order for the data to be presented in court. It was granted and the data has been presented in court though it was done in private.

Interesting part is he now wants other affected 11.5M gamblers whose data was compromised to join the suit in what would be a huge legal battle. In his suit, Benedict want Safaricom to compensate him Sh100M for his privacy invasion through the data breach of Safaricom. He’s also suing them for his arrests that he terms as malicious.

If the court grants Benedict’s prayers, Safaricom would be compelled to pay Sh115Trillion to all the 11.5M subscribers whose data has been breached. Each of them would then receive Sh10M.Part


Kenya Insights allows guest blogging, if you want to be published on Kenya’s most authoritative and accurate blog, have an expose, news TIPS, story angles, human interest stories, drop us an email on [email protected] or via Telegram
Advertisement

Kenya West is a trained investigative independent journalist and a socio-political commentator on matters Kenya and Africa. Do you have a story, Scandal you want me to write on? Send me tips to [[email protected]]

Advertisement
Advertisement
Advertisement

Facebook

Most Popular