Kenya Insights

Tag: Business Registration Service (BRS)

  • Moldovan Firm Deletes Leaked Kenyan Business Data Amid Investigation

    Moldovan Firm Deletes Leaked Kenyan Business Data Amid Investigation

    A Moldovan business intelligence firm, B2bhint, has taken down sensitive Kenyan business data from its website as Kenya’s data protection watchdog probes a major breach that could lead to fines and compensation claims against the country’s Business Registration Service (BRS).

    The data leak, which exposed business dealings of prominent Kenyan figures—including President William Ruto’s family, the Kenyatta family, and other influential investors—sparked concerns over the security of Kenya’s corporate registry. The breach reportedly made personal details such as residential addresses, phone numbers, and beneficial ownership information available for sale.

    B2bhint Pulls Data, Cites Legal Risks

    In response to the growing scrutiny, B2bhint said that it opted to remove the Kenyan data to avoid legal liability. The firm insisted that neither the BRS nor any Kenyan law enforcement agency had contacted it following the breach.

    “We have decided to temporarily remove all Kenyan company data from our website while we conduct further research to determine what information is permissible to publish,” the company said in a statement.

    However, B2bhint still hosts business data from other jurisdictions, including the UK, Dubai, Europe, and multiple U.S. states.

    Data Watchdog Launches Investigation

    Kenya’s Office of the Data Protection Commissioner (ODPC) has officially launched an investigation into the breach, focusing on whether the BRS failed to protect sensitive corporate data. If found liable, the State agency could face penalties of up to Ksh 5 million under the Data Protection Act of 2019.

    “The probe might take some time, but ultimately, we’ll publish a determination which will say who is liable and whether or not affected parties will need to be compensated,” an ODPC spokesperson stated.

    Beyond regulatory fines, the BRS could face hefty compensation claims from high-profile individuals whose data was exposed. Under Kenya’s data protection laws, affected individuals can sue for damages, potentially resulting in significant payouts.

    Breach Sparks Speculation Over Ransom Demands

    The breach has also fueled speculation about a possible ransom demand. Reports indicate that B2bhint was selling Kenyan business data in packages worth up to Ksh 24 million, with individual phone numbers priced as low as Ksh 2. A monthly subscription offering access to beneficial ownership details was reportedly going for $350 (Ksh 45,226).

    B2bhint denied hacking the data, instead blaming weak cybersecurity measures at the BRS for making it easily accessible.

    Scramble to Contain Damage

    Since the breach came to light last Friday, Kenyan authorities have been working to contain the fallout. The leaked data provided a rare public glimpse into the financial networks of Kenya’s wealthiest families, revealing information typically reserved for government agencies and select investors.

    BRS Director-General Kenneth Gathuma has not responded to requests for comment on the breach.

    Meanwhile, international cases highlight the costly consequences of such incidents. In January 2023, U.S. telecom giant AT&T agreed to pay $13 million (Ksh 1.67 billion) to settle an investigation into a data breach affecting 8.9 million customers.

    It remains unclear whether B2bhint will reinstate the Kenyan data, but the incident has raised serious concerns about the security of business records and the potential misuse of sensitive corporate information.

  • Fraud Claims Rock Business Registration Service (BRS), DCI Launch Probe

    Fraud Claims Rock Business Registration Service (BRS), DCI Launch Probe

    Detectives from the Directorate of Criminal Investigations (DCI) have launched investigations at the Business Registration Service (BRS) following reports of individuals losing their directorship and shareholding in companies through document forgery. According to sources within the DCI, the multimillion-shilling fraud is being carried out by outsiders with the help of corrupt employees within the BRS.

    Last month, DCI detectives were forced to obtain an arrest warrant for BRS Director General Kenneth Gathuma to compel him to release documents tied to the fraudulent activities. These activities have resulted in business owners losing shares worth hundreds of millions of shillings in various companies. In some cases, after falsifying documents at the BRS, the fraudsters changed company ownership and sold off properties worth millions.

    A senior detective from the DCI’s Serious Crime Unit stated, “We decided to intervene after receiving numerous complaints from business owners regarding the ongoing fraud at the BRS, where we suspect several employees are involved.”

    One such case occurred last year when Josiah Nicholas Mbathi Mwangi, a city businessman, was charged in court for forging documents to oust his co-directors from Nimba Technologies, a company specializing in the importation of surveillance and security products. Appearing before Senior Principal Magistrate Bernard Ochoi at the Milimani Law Courts, Mwangi faced five forgery charges, including falsifying an affidavit and company minutes, purporting them to be genuine and signed by his co-director, Njeri Kinuthia. Mwangi was also accused of forging a company share transfer deed and a resignation form, both of which he claimed were legitimate and signed by Njeri.

    Investigators believe that individuals like Mwangi submit these forged documents to accomplices at the BRS, where the changes in directorship and shareholding are swiftly processed. The fraudsters are so meticulous in their approach that they have been able to file annual returns at the BRS for years without the defrauded parties noticing.

    While acknowledging that DCI detectives have been stationed at their headquarters, the BRS has distanced itself from the fraudulent activities. BRS Director General Kenneth Gathuma stated that his team has always worked closely with state agencies, including law enforcement, providing them with necessary evidence and information to assist in investigations and court proceedings.

    Regarding the warrant of arrest issued on August 27, 2024, Gathuma mentioned that the BRS immediately engaged with DCI investigators to address the matter. He clarified that the Registrar of Companies acts based on information filed online at the BRS by authorized company representatives during any changes in shareholding or directorship.

    While Gathuma denied allegations that BRS officials collude with criminals, he admitted that many fraudulent transactions originate from “dishonest individuals” who have gained access to the system using their credentials. “In all these cases, it is the individuals accessing the system through their user accounts who are responsible for the fraudulent actions,” he explained.

    Gathuma also revealed that the BRS has handled numerous cases of alleged fraudulent changes in company ownership and has taken corrective measures upon receiving valid complaints. He emphasized that no BRS officer has been convicted of involvement in the fraud since the automation of their business processes in 2016. However, a disciplinary process is ongoing involving the loss of credentials by one officer to an external fraudster.