Safaricom Faces Court Over Massive Data Breach Affecting 11.5 Million Users

Kenya’s largest telecom operator, Safaricom, is heading to the High Court after settlement talks collapsed in a landmark data breach case involving the alleged theft of personal information from 11.5 million subscribers.

The case, which has sent shockwaves through Kenya’s tech and privacy circles, centers on accusations that two former Safaricom managers illegally accessed and attempted to sell subscriber data to businessman Benedict Kabugi Ndung’u. The leaked information reportedly included names, phone numbers, ID details, locations, and even betting histories — a serious breach of privacy that violates Kenya’s Data Protection Act of 2019.

According to court filings, the stolen data was intended for use in a new sports betting venture linked to Kabugi. He has since filed a petition seeking KSh 100 million in personal damages and an additional KSh 10 million per affected subscriber, a figure that could run into trillions of shillings if approved.

The collapse of the settlement talks means the case will now proceed to full trial, potentially setting a major precedent for data protection enforcement in Kenya’s digital economy. The Office of the Data Protection Commissioner (ODPC) has also been drawn into the matter, with consumer groups demanding stronger action against corporate data mishandling.

Public frustration over spam messages and unauthorized promotions has reignited calls for stricter oversight of telecom companies and data brokers.

As Kenya’s digital ecosystem grows, this case underscores an urgent truth: data is the new currency — and privacy the new frontier of justice.