In May 2019, a data breach affected more than 11.5 million Safaricom subscribers; Safaricom employees carried it out. After a whistle-blower, Mr Benard Kabugi, reported the matter to Safaricom and the police, a sting operation was conducted that helped identify and arrest the perpetrators, with the whistle-blower, Benedict Kabugi, variously treated as a prosecution witness and afterwards as part of the ring that stole subscriber data.
At the behest of Safaricom, Mr Kabugi was arrested and charged in court for ‘demanding hundreds of millions of shillings’ as bounty hunting fees. Miffed by this turn of events, Mr Kabugi filed a class-action lawsuit against Safaricom in June 2019 for the data breach and on behalf of the 11 million subscribers whose data was compromised.
Since then, on various dates between June 2020 and January 2022, Mr Kabugi has written to the Office of the Director of Public Prosecutions to request a review of the criminal suit against him on the grounds of selective prosecution and abuse of the criminal process. All requests were denied.
Mr Kabugi’s request for a review is that Safaricom has targeted him for demanding compensation for the data breach. Mr Kabugi avers that after informing Safaricom of the data breach, a senior Safaricom employee, Patrick Kinoti, sent him money to “facilitate meetings” between the perpetrators of the data breach, which led to their subsequent arrest in May 2019. A month later, in June 2019, and in a curious turn of events, Mr Kabugi was arrested and charged with demanding money by menaces. Subsequently, Mr Kabugi was also charged with computer fraud. This is after he sent a demand notice to Safaricom to be paid an unspecified amount for the breach of his private
subscriber data.
In that same month, Mr Kabugi sued Safaricom on his behalf and that of 11.5 million Safaricom subscribers affected by the data breach. Safaricom would later deny there was ever a data breach, even though they were already the complainants in a criminal case against their staff members for stealing subscriber data. A few months later, Safaricom filed a civil suit in court, asking the court to restrain Mr Kabugi and their staff from sharing the data, effectively admitting to the data breach they had spent months denying.
In an affidavit in response to a class-action suit brought by Mr Ndungu against Safaricom, the telco’s senior manager, litigation Daniel Ndaba swore that the allegation that subscriber data may have been breached was “without any basis.”
“The respondent (Safaricom) has 32 million subscribers currently, and there is no evidence to show a breach of the rights of any of the said subscribers to warrant a grant of the orders sought by the petitioner,” Mr Ndaba asserted in the affidavit. He swore the affidavit on July 8, 2019.
Justice Weldon Korir allowed a plea by Safaricom to suspend the class action suit in the interim to allow for the criminal case to proceed to a conclusion. The averments by Mr Ndaba reveal the panic within Safaricom over the lawsuit.
If the class action suit is revived, Safaricom could be hit by enormous costs for failing to arrest the breach of confidential subscriber data. This is probably the eventuality Safaricom’s legal flip-flopping is meant to prevent.
Safaricom filed to shut up the people implicated in the leak, including its staff but then abandoned it, admitting to being alerted to the leak of subscriber data by a whistle-blower, who was even compensated for his services. This admission came on September 9, 2019, three months after Mr Ndaba’s original denial of a leak of subscriber data.
Selective prosecution
In what could give credibility to the idea of abuse of court processes, it is curious how the people who confessed to having transferred data to Mr Kabugi have not been charged or held liable. The Investigating Officer (IO), Sergeant Joseph Chebor, notes as follows in his statement:
“…I found that Benedict Kabugi received sample data from Mark Nderitu. Mark got it from Charles Kimani, who got it from Brian Wamatu and Billy Kinuthia. The chain worked so that the end person did not know the origin of the data….”
Neither Safaricom, in its civil suit, nor the prosecution, in its criminal charge again Mr Kabugi, have given evidence to show that Mr Kabugi had an agreement with the individuals in the chain. As Mr Kabugi notes in his letter to the ODPP, “I am the ‘end person’ in the chain ‘who did not know the origin of the data”. Mr Kabugi alleges a scheme between Safaricom and the Prosecution to sustain the conspiracy against him since none of the parties identified by investigators have been charged. “I believe this amounts to selective prosecution and discriminatory treatment against me.’
Instructively, there is no evidence to show that Mr Kabugi participated in the copying of confidential subscriber information. As well, the IO’s statement seems to exonerate him from wrongdoing.
Mr Kabugi has asked the ODPP to terminate the proceedings against him, terming the oppressive and unequal application of due process – as a result of issuing a ‘lawful demand notice’ to Safaricom – a breach of his constitutional rights to equal protection and benefit under Article 27(1) of the Constitution.
Mr Kabugi concludes that the criminal action against him is tainted with malice and is an exercise at settling scores because he dared sue Safaricom for breach of subscriber rights. (
Email your news TIPS to Editor@nairobilawmonthly.com, and to advertise with us, call +254715061658 anytime of the day
