A legal dispute involving the alleged leak of subscriber data belonging to over 11.5 million Safaricom customers continues to unfold in Kenyan courts, according to a report by Joseph Wangui published in Business Daily Africa.
The case, which has been ongoing for several years, centers on claims that two former Safaricom managers accessed and shared sensitive subscriber data without authorization. The leaked information reportedly included customer names, phone numbers, dates of birth, identification numbers, passport details, location data, and gambling or betting records.
According to court filings cited in the Business Daily report, the data was allegedly offered for sale to a top sports betting company identified as SportPesa. The individual who brought the matter to light, Benedict Kabugi Ndungu, has filed a class-action lawsuit on behalf of the affected subscribers.
Ndungu claims that he was approached to assist in selling the data but instead reported the matter. Safaricom has since accused him of demanding money by menaces, a criminal charge that he denies. The ongoing proceedings have temporarily halted the class-action suit while the criminal case continues.
Court records indicate differing positions by Safaricom over time. In a 2019 affidavit, a senior litigation manager reportedly denied that any data breach had occurred. However, in subsequent filings, the company sought an injunction to prevent the sale or transfer of the data, an apparent acknowledgment that the data may have been compromised.
No final determination has been made in either the civil or criminal matters. Safaricom has not issued a recent public statement on the case.
The dispute underscores Kenya’s growing focus on data governance, insider threats, and corporate accountability, as the enforcement of the Data Protection Act (2019) continues to evolve.