How Safaricom mishandled subscriber data leak

How Safaricom mishandled subscriber data leak

By NLM Writer

Safaricom overlooked red flags while rogue staff stole data of some 11.5 million subscribers to trade the same with a famous sports gaming company, according to court documents that the Nairobi Law Monthly has obtained in the ongoing criminal and civil cases.

The documents also reveal that the destination of the massive data was Pevans East Africa, a sports betting firm that trades as SportPesa, though the deal it appears did not come to fruition.  

The civil and criminal cases reveal a leak that could have been prevented, a sports betting firm’s hand and how Safaricom fumbled to mitigate the situation.

But if the overlooking of the leak was bad enough, it is how Safaricom fumbled to contain the situation that made the situation even worse. First, despite Safaricom having been informed of the data breach on or around May 20, 2019, and the telco making a report to the Directorate of Criminal Investigations (DCI) on May 30, 2019, it was until almost a month later that the suspects Simon Billy Kinuthia, Brian Njoroge Wamatu, and Charles Njuguna Kimani. Mr Benedict Kabugi Ndungu, who in the court documents is said to have made the initial reports of the leak, was charged with demanding money with menaces, a charge he denies. 

Mr Kinuthia was Safaricom’s senior manager, networks and Mpesa Systems Auditor, while Mr Wamatu also worked at Safaricom as head of Regional Expansion. Both legally had access to subscriber data but exploited a loophole that put the personal data of some 11.5 million subscribers at risk. 

Mr Kinuthia and Mr Wamatu have been charged in the criminal case, but Mr Kimani walked free and is now a witness in the criminal case. Until their arrest and confiscation of the suspects’ phones and laptops, no one can be certain what they could have done with the data. 

The fumbling continued even after the suspects were arrested and charged in court. For instance, in one set of court papers, Safaricom denies that there had been a leak of customer data.

Some key filings and affidavits have been kept under lock and key at the registry at the request of the telco, but Nairobi Law Monthly is publishing this story because we believe it is of great public interest, seeing that detailed data of Safaricom subscribers were leaked. 

The data that had been leaked contained details such as full names (first name, middle name and surname) of all subscribers who gamble, the subscribers’ mobile number, the gender, date of birth and nationality of the subscribers, and also detailed various betting platforms of which the subscribers gamble with.

It also had identity numbers, passport numbers, military identity card numbers, certificate of incorporation numbers, and alien identity card numbers of the subscribers; the total amounts expended towards gambling by each of the subscribers with the data being up to date; the number of betting companies, number of pay-ins, latest bet date and latest pay in; the make and type of device used by the subscriber together with the device’s IMEI (International Model Equipment Identity) number; handset name and manufacturer; indicator on the network used (2G/3G/4G); specification on whether dual SIM or single SIM; and the location of the subscriber including area, region and country.

In an affidavit in response to a class-action suit brought by Mr Ndungu against Safaricom, the telco’s senior manager, litigation Daniel Ndaba swore that the allegation that subscriber data may have been breached was “without any basis.”

“The respondent (Safaricom) has 32 million subscribers currently, and there is no evidence to show a breach of the rights of any of the said subscribers to warrant a grant of the orders sought by the petitioner,” Mr Ndaba asserted in the affidavit. He swore the affidavit on July 8, 2019. 

Justice Weldon Korir allowed a plea by Safaricom to suspend the class action suit in the interim to allow for the criminal case to proceed to a conclusion. The averments by Mr Ndaba reveal the panic within Safaricom over the lawsuit. 

If the class action suit is revived, Safaricom could be hit by huge costs for failing to arrest the breach of confidential subscriber data.  

In another set of documents in a case, Safaricom filed to shut up the people implicated in the leak, including its staff but then abandoned it, admitting to being alerted to the leak of subscriber data by a whistle blower, who was even compensated for his services. This admission came on September 9, 2019, three months after Mr Ndaba’s original denial of a leak of subscriber data. 

In the civil suit through which Safaricom was seeking a permanent injunction against Mr Ndungu, Mr Kinuthia and Mr Wamatu, the telco admits to the leak and details how the leak actually happened.

“The plaintiff avers that the 1st and 2nd defendants (Mr Kinuthia and Mr Wamatu respectively) breached their contractual and statutory duty not to disclose the private and confidential data in their possession,” the telco said in the civil plaint. 

Below that paragraph, the mobile telecommunications giant details how the leak happened: Mr Kinuthia designed a script that would collate and analyse data in a form that was not necessary nor required for Safaricom’s business, the mobile telecommunications giant said. With the script in place and with Mr Wamatu, they transferred confidential customer data from Safaricom servers to a Google Drive and/or laptops outside Safaricom’s control.

From there, they could download and disclose the data to third parties. “The 1st & 2nd defendants (Mr Kinuthia and Mr Wamatu respectively) offered for sale and/or sold confidential subscriber data obtained from the Plaintiff’s server. The 1st & 2nd Defendants used their positions to access data for purposes totally unrelated to the tasks they were required to or authorized to undertake,” Safaricom said in the suit.

In a statement, the investigating officer in the case, Sergeant Joseph Chebor concluded that “The chain worked in a way that the end person did not know the origin of the data, a criminal enterprise network modus operandi.”

In the documents that NLM has reviewed, on June 10, 2019, lawyers for Mr Ndungu wrote a demand letter to Safaricom. In the letter, lawyer Martin Maina of Maina & Maina Advocates states that after Mr Ndungu alerted Safaricom of the leak, the telco’s staff, Sitoyo Mr Lopkoiyot, the chief financial services officer and Patrick Kinoti, the head of department ethics and compliance had recruited him as a whistle blower “with promised reward.”

“As a sign of good faith, Mr Kinoti transferred Ksh50,000 via Mpesa to our client, and all parties were thereafter in constant communication,” says the lawyer in the letter in which he was demanding that his client be paid the promised reward. 

But in the civil suit by Safaricom, the telco says that Mr Ndungu “purported to convert himself into a whistle blower” after it became impossible to sell the data to Sportpesa.

Apparently, the suspects, including the former Safaricom employees, had approached two senior officers of Sportpesa to sell the data was a treasure trove of marketing information for any sports betting firm. One of the executives of Sportpesa was willing to buy the stolen subscriber data on the condition that the ex-Safaricom staff committed to making the flow of such data continuous. The staff could not commit, and the deal fell apart.  (

*In our next issue, we bring you an insider’s account of Safaricom’s insidious attempts to collect enhanced user biometrics in the race for 5G dominance under the pretext of honouring a CA order to update client details. 

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign Up