Ali AwDoll
Nairobi, Kenya.
Telecommunications giant Safaricom PLC is set to face heightened legal scrutiny after talks to resolve a long-running data privacy dispute collapsed, clearing the way for a full High Court hearing.
The case, first filed in 2019, stems from the alleged unauthorized extraction and sharing of personal data belonging to more than 11.5 million subscribers — roughly 23% of Safaricom’s customer base.
Settlement discussions broke down during a High Court session on October 8, 2025, with the parties unable to reach agreement. The court has now scheduled a pretrial conference for October 30 to confirm the filing of all pleadings and prepare for substantive hearings.
The case has since expanded into multiple parallel proceedings, including civil suits seeking injunctions against further data dissemination, a constitutional petition alleging violations of the Data Protection Act, and criminal investigations by the Directorate of Criminal Investigations (DCI).
At the center of the dispute are former Safaricom employees Simon Billy Kinuthia and Brian Njoroge Wamatu, who held senior roles in network systems, M-Pesa audits, and regional expansion. Court filings indicate that the pair allegedly abused their system access privileges to compile subscriber details — including names, national IDs, phone numbers, and betting transaction histories — from M-Pesa servers. The data was reportedly exported to password-protected Google Drives inaccessible to Safaricom and later copied onto personal laptops, two of which remain missing, hampering DCI recovery efforts.
Safaricom accuses the former staffers of gross misconduct and breach of confidentiality, while also clashing with whistleblower Benedict Kabugi, who brought the issue to light. The company has described Kabugi as a “fake whistleblower” who allegedly demanded Sh100 million to disclose the full source of the breach.
Kabugi, however, filed a constitutional petition in June 2025, accusing Safaricom of failing to safeguard subscriber data. He is seeking Sh100 million in personal damages and an additional Sh10 million per affected customer — a claim that could expose the company to trillions of shillings in liability if upheld.
Investigators believe the compromised data was primarily drawn from customers who registered phone numbers on sports betting platforms. Portions of the dataset were allegedly shared with an unnamed betting company, fueling fears of targeted marketing, unsolicited spam, and potential identity theft. Safaricom has petitioned the court for protection from potential class-action suits and regulatory penalties, warning that the stolen information could still be sold or transferred to third parties.
News of the failed settlement triggered widespread anger online, with thousands of Kenyans expressing outrage at what many view as a betrayal of customer trust.
“No wonder our inboxes are flooded with gambling ads daily. Sharing people’s private data is illegal,” wrote Sylvester Nzomo, a teacher and Liverpool FC supporter with over 7,000 followers on X (formerly Twitter).
“Kenyans made Safaricom what it is. Yet this is how they treat loyal customers — like data points, not people,” posted Richard Mechack, another X user.
Others, like @Ms_Kamau_, directly tagged the company’s customer care handle:
“Why is my number still in the hands of betting firms and money lenders? This isn’t an inconvenience — it’s a breach. I’ll be seeking legal redress too.”
The case highlights the growing enforcement of Kenya’s Data Protection Act (2019), which established the Office of the Data Protection Commissioner (ODPC). The ODPC has fined several organizations for similar violations over the past three years, amid rising concerns about digital privacy and corporate responsibility.
Globally, the Safaricom case mirrors high-profile breaches that have led to multimillion-dollar penalties against firms such as Uber and Equifax for inadequate data safeguards. Consumer advocacy groups, including the Consumers Federation of Kenya (COFEK), warn that a landmark ruling could reshape data privacy jurisprudence in Kenya and the wider region.
Safaricom, which commands over 50 million subscribers and remains Kenya’s most profitable company, has not issued a new statement since the collapse of settlement talks. In earlier communications, the firm reiterated its commitment to data security and pledged full cooperation with regulators.
However, the company faces increasing scrutiny amid separate investigations into alleged state surveillance practices and broader questions about corporate accountability in Kenya’s digital economy.
As the case heads to pretrial, legal analysts say it could become Kenya’s most consequential data privacy lawsuit to date, setting precedent on how courts handle digital rights, corporate negligence, and mass consumer harm.