In late October 2025, Kenya’s data privacy landscape was thrust into the spotlight after a hacker group known as Kazu claimed responsibility for a massive breach allegedly affecting the M-Tiba platform, a health financing platform operated by CarePay in partnership with Safaricom and other stakeholders.
The alleged leak, reportedly amounting to 2.15 terabytes of sensitive health and personal data, raised serious public concern. Screenshots and data samples circulated online, appearing to show names, ID numbers, phone contacts, medical diagnoses, and billing records from hundreds of health facilities.
Yet, weeks later, Kenya’s Office of the Data Protection Commissioner (ODPC) concluded its investigation into these claims and issued its finding: no evidence of a data breach was found on the M-Tiba platform.
The Investigation and Findings
The ODPC, as Kenya’s statutory regulator under the Data Protection Act, 2019, swiftly launched an inquiry following media reports of the alleged cyber-incident. In a press statement dated October 29, 2025, the regulator acknowledged engaging with M-Tiba and “other stakeholders to establish the full facts.”
Subsequent internal findings confirmed that, despite the widespread claims by Kazu, the ODPC found no evidence of a breach linked to the M-Tiba system or its partners.
This conclusion effectively cleared CarePay (the M-Tiba operator) and its key partner Safaricom of the specific data leak alleged by the hacker group.
While no formal determination has yet been published on the ODPC website, this finding represents the most authoritative update on the matter to date.
Safaricom’s Public Position
Although Safaricom has not issued a dedicated statement referring directly to the M-Tiba or Kazu investigation, the company’s broader stance on privacy and data protection remains well-documented.
In October 2024, Safaricom published a Position Statement on Data Privacy, reaffirming its strict adherence to the Data Protection Act and its policy of not disclosing customer data without a valid court order. Around the same period, it achieved ISO 27701 certification, the global privacy extension to the ISO 27001 standard, a milestone that underscores its efforts to institutionalize privacy as part of corporate governance.
Given Safaricom’s role as a key data processor within Kenya’s digital ecosystem, these commitments are significant. They demonstrate that data protection, when integrated into organizational culture and governance structures, can help insulate firms from both real and reputational risks when cyber incidents arise.
Lessons for Kenya’s Data Governance Ecosystem
The M-Tiba episode is more than a story about a data breach allegation. It is a case study in regulatory response, corporate accountability, and public perception.
- Transparency Matters: The ODPC’s swift acknowledgment and visible engagement with stakeholders helped manage public anxiety, a step that reinforces confidence in Kenya’s regulatory maturity.
- Corporate Governance as a Privacy Shield: Safaricom and CarePay’s prior investments in privacy governance (such as certification and compliance frameworks) likely strengthened their ability to respond credibly.
- The Need for Publicly Accessible Determinations: Publishing formal determinations enhances transparency and public trust, especially in high-profile cases where misinformation can spread faster than facts.
The Bigger Picture
This incident highlights a growing reality across Africa’s digital economy: data breaches and cyber claims are no longer theoretical threats. They test the resilience of national data protection frameworks, the readiness of regulators, and the governance cultures of organizations handling sensitive information.
Kenya’s handling of the M-Tiba case shows encouraging progress, combining regulatory responsiveness, corporate cooperation, and a maturing data protection ecosystem.
Still, as digital health platforms continue to expand, proactive transparency and ongoing investment in privacy-by-design will be key to sustaining public trust.
Conclusion
While the hacker group Kazu’s claims sparked alarm, the official record, backed by the ODPC’s investigation, confirms no evidence of a data breach at M-Tiba. Safaricom and its partners emerge not as culprits but as case examples in how robust data governance can withstand scrutiny in the age of digital suspicion.