Safaricom, Kenya’s telecommunications giant, finds itself at the center of a brewing legal crisis that could result in crippling financial penalties and fundamentally reshape how the country approaches data protection.
The company is battling multiple lawsuits after personal information belonging to 11.5 million subscribers—nearly a quarter of its customer base—was allegedly stolen and nearly sold to a sports betting company.
The scale of the breach is staggering.
According to court documents, two former senior managers at Safaricom allegedly created an algorithm designed to analyze betting patterns among subscribers. What started as data analysis spiraled into something far more sinister: the wholesale theft of sensitive personal information including full names, phone numbers, birth dates, identity card numbers, passport details, military ID numbers, gambling transaction histories, and even precise location data down to the subscriber’s area, region and country.
The stolen data was transferred from Safaricom’s servers to Google Drive accounts secured with heavy encryption that the company has been unable to crack.
From there, the information was moved to three personal laptops, two of which remain missing.
This has triggered a race against time to prevent the data from being sold or transferred to additional parties.
At the heart of the scandal is Benedict Kabugi, a businessman who Safaricom claims was working with the former managers to sell the data trove to a major sports betting firm.
But Kabugi has positioned himself differently, filing his own constitutional petition claiming to be a whistleblower who exposed Safaricom’s failures to protect customer information.
He is demanding compensation of 100 million shillings for himself, plus 10 million shillings for each of the 11.5 million affected subscribers. If successful, this would amount to a jaw-dropping 115 billion shillings in damages.
Safaricom vehemently disputes Kabugi’s whistleblower narrative.
The company told the court that Kabugi is “just another person out to coerce and force Safaricom to pay him 100 million shillings” after he and the former managers struggled to complete their planned sale to the betting company.
The legal battle has spawned three separate cases: a civil suit filed by Safaricom seeking to block any sale or transfer of the data, Kabugi’s constitutional petition alleging violations of the Data Protection Act, and criminal proceedings against the two former managers and Kabugi.
Safaricom had initially sought to settle the civil case out of court in exchange for the defendants withdrawing their counter suits and promising not to transfer the data.
When the parties appeared before High Court deputy registrar Sylvia Moturi on October 8, however, they informed the court that settlement talks had collapsed, paving the way for a full trial.
The timing could not be worse for Safaricom. Globally, authorities have begun imposing massive fines on companies that fail to protect customer data.
Uber, Target, T-Mobile, Equifax, British Airways and Capital One have all been hit with substantial penalties for data breaches. In Kenya, the Office of the Data Protection Commission has recently ramped up enforcement, fining numerous firms for data leaks.
The evidence uncovered by the Directorate of Criminal Investigations paints a damning picture.
WhatsApp conversations between the alleged conspirators detailed the scheme, revealing how the former employees abused their privileged access to harvest data far beyond their authorization.
One of the implicated managers has even filed a separate petition challenging how the DCI obtained the WhatsApp chats, arguing the messages were manipulated.
For Safaricom, the stakes extend beyond financial penalties.
The company has warned the court that if the data is transferred to third parties, it could face a cascade of lawsuits from millions of affected subscribers, along with regulatory sanctions that could fundamentally damage its business.
With 49.93 million mobile subscriptions as of June 2025, representing 65.1 percent of Kenya’s market, the reputational damage alone could be catastrophic.
The 11.5 million affected subscribers all have one thing in common: they have previously used their mobile accounts for betting activities.
This demographic represents 23 percent of Safaricom’s total customer base, and the detailed gambling records contained in the stolen data make them particularly vulnerable to targeted scams and identity fraud.
Legal experts say the case could become a landmark moment for data protection in Kenya.
If the court rules against Safaricom, it would signal that companies holding vast amounts of personal information will be held to rigorous standards of care. Consumer rights advocates are watching closely, viewing the case as a test of whether Kenya’s relatively new data protection laws have teeth.
Safaricom has accused its former employees of breaching both their contractual obligations and statutory duties, arguing they systematically exploited their positions to steal information they had no right to access.
The company says it only learned of the breach through the DCI investigation and has been unable to access the Google Drive containing the stolen data or remotely delete it from cloud storage.
The case returns to court on October 30, 2025, for a pretrial conference to confirm that all parties have filed their pleadings.
As that date approaches, Safaricom faces an uncomfortable reality: a company that has built its reputation on connecting Kenyans now finds itself accused of failing to protect their most personal information.
Whether through settlement or courtroom verdict, the resolution of this case will reverberate through Kenya’s corporate landscape for years to come, potentially redefining what it means to be a custodian of customer data in the digital age.
