Safaricom Faces Class Action Suit Over Massive Data Breach As Case Lands On CA’s Desk

Kenya’s biggest telecommunications firm Safaricom is faced with a major legal battle following an intention by a subscriber of commencement of a class proceedings against the firm over alleged massive data breach.

In a letter dated 22nd January written to the CEO Peter Ndegwa and seen by Kenya Insights, Adrian Kamotho Njenga claims that he’s one of the 11.5M Safaricom customers whose data was breached, leaked and in circulation to unauthorized persons putting security and privacy of customers at risk.

Kamotho argues that since the breach of Safaricom data in June 2019 which was orchestrated by the firm’s employees; Simon Billy Kinuthia and Brian Wamatu Njoroge who were arrested and charged for the breach, the firm has not been able to contain further spread of the data. “It is apparent that confidentiality, privacy and security of subscriber data lawfully placed on the custody of millions of Safaricom subscribers remains in breach.” The letter reads.

He continues, “personal data of millions of subscribers continues to be disclosed to persons who have no lawful reason, right or authority to access the data. Further the data has been variously transferred from Safaricom servers to publicly accessible Google drive repositories and other devices out of Safaricom’s control.”

In a civil case number 194 of 2019 before Milimani Court by Safaricom against its former employees and a third party Mr. Benedict Kabugi, the firm made the admission that indeed the data was in the hands of third parties and they’ve been unable to access the Google drive where the data is stored by one of the employees.

Investigations by Safaricom according to court documents shows that Simon Billy Kinuthia who at the time held senior managerial position at the firm responsible for Networks and M-Pesa audit and was authorized to access confidential customers information did access and transferred customers data via Google drive to Brian Wamatu also a senior official at the firm whom later shared with Ben with the intention of selling the data to third parties. Indeed an effort to sell the data to SportPesa was made before the deal went bad.

Through Adrian Kamotho Njenga & Co. advocates, Adrian in the letter to the CEO insists that Safaricom has been unable to lawfully get hold of the data and protect its customers.

“The data has been irregularly subjected to analytical and data mining script in a manner not sanctioned by law. Besides, the said data which is no longer in the safe custody and control of Safaricom, continue to be randomly shared and offered for sale in flagrant breach of express contractual and statutory duty to keep the data confidential, private and secure.”

Acting for Safaricom in reply to the letter, Peter Munge for MMC Asafo requested for the complainant to furnish him with proof of the breach being active to which Adrian disregarded as ‘ambiguous, evasive and non responsive’ saying the suit would go ahead.

“Evidence in our possession demonstrate that despite the gravity of the enduring violation of subscribers rights, Safaricom has continued to treat the forgoing matter with casualness and indiscretion and has never activated mechanisms for redress. Little effort has been expended to towards recovering the electronic devices to which the data of over 11.5M Safaricom subscribers was downloaded.” The letter reads.

It continues, “worse still, nothing has been done towards securing the subscribers data residing within the publicly accessible Google drive. This, the data contained continues to be indiscriminately shared, shared, transferred, disseminated and horse-traded in downright violation of the straightforward dictates of Article 31 of the constitution of Kenya.”

Kenya Insights reached out to Safaricom CEO Ndegwa in conformity to the letter on his comment about the claim and particularly if it is true that the data breach is still going on because because they have never been able to recover the stolen data from the ex employees who fall into the category of unauthorized third parties since they were fired. And whether it is true that Safaricom have never notified the affected subscribers to date as required to do by law even though the data has never been recovered.

By the time we’re going on air, our delivered messages remained unanswered.

While issuing the notice, Adrian opines, “despite the persistent data breaches, Safaricom is yet to comply with statutory provisions related to data protection and rights to privacy. The foregoing acts constitute severe infringement of our client’s(Adrian) rights to and those of the wider public public enshrined under numerous provisions of the law.”

In June 2019, another Safaricom subscriber filed a petition in Milimani Constitutional court seeking Sh100 million in compensation from Safaricom over infringement of his rights to privacy.

Through Maina and Maina advocates, Benedict Kabugi claimed that the company violated his rights to privacy and also the rights of over 11 million users and gamblers as protected in the Constitution.

“I am a Safaricom subscriber and from time to time I gamble through Sportpesa android application, using my Safaricom mobile number,” Said Kabugi.

He also wanted Safaricom to pay each 11,500,000 subscribers damages of Sh10,000,000 each for violating their rights as is in the Constitution in what would cost the company a staggering Sh115 trillion.

“I have filed this petition under article 22(1), 22(2) (b) 22(2) (c), 258(1) (2) of the Constitution Section 4 of the consumer protection act,” he says in his petition.

According to him, the Constitution guarantees the right to privacy, right not to have information relating to their families or private life unnecessarily obtained by strangers.

“Safaricom is under a constitutional statutory mandate to ensure that the data received from its subscribers is treated in a secure and confidential manner,” he says.

He says that on May 18, he was approached by an individual, a Mr Mark, who had in his possession Safaricom data estimated at 11,500,000 Safaricom subscribers, the data which was exclusively for gamblers using Safaricom lines.

According to the said data, the 11,500,000 subscribers had used their Safaricom mobile phones to gamble on various betting platforms registered in Kenya.

The data from the individual included all the personal information of all the subscribers who gambles countrywide in different platforms but uses Safaricom lines.

It also has all the details of betting platforms of which the 11,500,000 subscribers gambles with, the amounts of money each subscriber stakes and the location of each gambler endangering and exposing them.

The petitioner upon meeting the stranger with Safaricom data reported the matter at various police station within the country.

Kabugi said he later reported the matter at the Safaricom headquarters after police took too long to act on the matter.

Shockingly on June 6, 2019, he was arrested and taken to DCI where and was forced to write a statement on data issues.

 Kabugi said investigation progressed well, until a team from Safaricom joined the probe when he was detained at Gigiri Police Station, Nairobi County, taken to Milimani Law Courts before being charged.

His earlier cooperation with the investigating agency led to the arrest of two Safaricom employees Simon Billy Kinuthia and Brian Njoroge who were charged with demanding Sh300 million from Safaricom and interfering with the Safaricom data.

According to Kabugi, the chaging of the two ICT employees was a confirmation that the Safaricom data was accessed, messed and interfered with.

Elsewhere, Lawyer Ahmednasir Abdulahi had also threatened to sue Safaricom over data breach though not much has been heard of him on the subject since the threat.

Obviously a gross infringement on my right to privacy under Art 31 of the Constitution. I suspect this breach of privacy is rampant and Safaricom may be charging fees the entities it gives access to phone data.I think a class action is an appropriate step. What do u think people?

— Ahmednasir Abdullahi SC (@ahmednasirlaw) September 18, 2020

Seeing the overwhelming response by Kenyan subscribers of Safaricom,I will INSHAALLAH formally write to them next week and then formally start a CLASS ACTION..Safaricom has been MINING DATA and then GIVES access to third parties to our telephones…KENYANS this is how law is made

— Ahmednasir Abdullahi SC (@ahmednasirlaw) September 18, 2020

How safe is customer data in Kenya? These are 11 Million customers, how was all that data accessed? How sophisticated are the thieves to steal from Safaricom? And what was their motive, if they went to court accusing Safaricom a data breach? @CA_Kenya #DataBreachAtSafaricom

— Consumer Grassroots (@Consumers_Kenya) August 13, 2020

Meanwhile, the stage is now set for measure of might and the grip of the law with Kamotho now taking his case to the office of communication authority through the commissioner of data. He seeks the authority’s intervention on the data breach by Safaricom.

Kamotho now wants Commissioner of Data Ms. Immaculate Kassait to be guided with Section 8 (1) (a) of the Data Protection Act, 2019 to investigate the alleged data breaches and ensure Safaricom abides to the law including informing all the affected 11.5M customers of the data breach.

This is certainly the first major case on Ms. Kassait’s table since her appointment and many will be watching to see how she handles the case against the giant company and decision used to gauge the authority of the newly founded office.