Kenya Insights

Tag: Data leak

  • Moldovan Firm Deletes Leaked Kenyan Business Data Amid Investigation

    Moldovan Firm Deletes Leaked Kenyan Business Data Amid Investigation

    A Moldovan business intelligence firm, B2bhint, has taken down sensitive Kenyan business data from its website as Kenya’s data protection watchdog probes a major breach that could lead to fines and compensation claims against the country’s Business Registration Service (BRS).

    The data leak, which exposed business dealings of prominent Kenyan figures—including President William Ruto’s family, the Kenyatta family, and other influential investors—sparked concerns over the security of Kenya’s corporate registry. The breach reportedly made personal details such as residential addresses, phone numbers, and beneficial ownership information available for sale.

    B2bhint Pulls Data, Cites Legal Risks

    In response to the growing scrutiny, B2bhint said that it opted to remove the Kenyan data to avoid legal liability. The firm insisted that neither the BRS nor any Kenyan law enforcement agency had contacted it following the breach.

    “We have decided to temporarily remove all Kenyan company data from our website while we conduct further research to determine what information is permissible to publish,” the company said in a statement.

    However, B2bhint still hosts business data from other jurisdictions, including the UK, Dubai, Europe, and multiple U.S. states.

    Data Watchdog Launches Investigation

    Kenya’s Office of the Data Protection Commissioner (ODPC) has officially launched an investigation into the breach, focusing on whether the BRS failed to protect sensitive corporate data. If found liable, the State agency could face penalties of up to Ksh 5 million under the Data Protection Act of 2019.

    “The probe might take some time, but ultimately, we’ll publish a determination which will say who is liable and whether or not affected parties will need to be compensated,” an ODPC spokesperson stated.

    Beyond regulatory fines, the BRS could face hefty compensation claims from high-profile individuals whose data was exposed. Under Kenya’s data protection laws, affected individuals can sue for damages, potentially resulting in significant payouts.

    Breach Sparks Speculation Over Ransom Demands

    The breach has also fueled speculation about a possible ransom demand. Reports indicate that B2bhint was selling Kenyan business data in packages worth up to Ksh 24 million, with individual phone numbers priced as low as Ksh 2. A monthly subscription offering access to beneficial ownership details was reportedly going for $350 (Ksh 45,226).

    B2bhint denied hacking the data, instead blaming weak cybersecurity measures at the BRS for making it easily accessible.

    Scramble to Contain Damage

    Since the breach came to light last Friday, Kenyan authorities have been working to contain the fallout. The leaked data provided a rare public glimpse into the financial networks of Kenya’s wealthiest families, revealing information typically reserved for government agencies and select investors.

    BRS Director-General Kenneth Gathuma has not responded to requests for comment on the breach.

    Meanwhile, international cases highlight the costly consequences of such incidents. In January 2023, U.S. telecom giant AT&T agreed to pay $13 million (Ksh 1.67 billion) to settle an investigation into a data breach affecting 8.9 million customers.

    It remains unclear whether B2bhint will reinstate the Kenyan data, but the incident has raised serious concerns about the security of business records and the potential misuse of sensitive corporate information.

  • Major Data Leak Hits Business Registration Services in Cyber-Attack Exposes Sensitive Company Information

    Major Data Leak Hits Business Registration Services in Cyber-Attack Exposes Sensitive Company Information

    The Business Registration Services (BRS) has suffered a significant data breach following a cyber-attack, potentially exposing sensitive information about private companies to the public.

    The breach, which occurred on the night of Friday, January 31, has raised serious concerns about the security of confidential data held by government agencies.

    A source close to the matter confirmed the breach, revealing that BRS executives were locked in crisis meetings for most of Saturday, February 1, to address the fallout. The source, who spoke on condition of anonymity due to restrictions on speaking to the media, suggested that the breach may have involved an internal actor.

    “We still can’t say who is behind the breach, but it looks like the intent is sabotage because the nature of the breach suggests an internal actor,” the source said.

    Data Exposed, Dark Web Links Confirmed

    The full extent of the stolen data remains unclear, but there are confirmed reports that the compromised information is being sold on the dark web, a hidden part of the internet often used for illegal activities.

    Kenya Insights has verified that the leaked data, hosted on a dark web site, includes records of all registered Kenyan companies dating back to 1967. The dump contains confidential information such as the names and contact details of company owners, directors, and beneficial owners.

    Data-Rich Target

    The BRS is one of the most data-rich entities within the Kenyan government, holding critical information on all registered companies, including their owners, beneficial owners, and directors. This data is typically accessible only through a paid service, but the breach has potentially made it available to anyone, bypassing the usual safeguards.

    The agency’s online database, which allows the public to access such information, is currently down and inaccessible. This has raised suspicions that the attackers may have deliberately taken the system offline as part of their operation.

    Additionally, the Office of the Official Receiver, which operates under the BRS, maintains records of companies in financial distress. It is feared that this sensitive data may also have been compromised in the breach.

    Motive Remains Unclear

    While the motive behind the attack is still unknown, sources indicate that authorities have ruled out ransomware as a likely cause. Ransomware attacks typically involve hackers demanding payment in exchange for restoring access to stolen data. In this case, the breach appears to have been aimed at exposing sensitive information rather than financial extortion.

    Legal and Regulatory Implications

    Under Kenya’s data protection laws, organizations are required to assess the extent of any data breach, notify affected parties, and take steps to contain the situation. The BRS is expected to issue a formal statement once the full scope of the breach is understood.

    This incident marks the first major data breach involving a government entity in over a year, following a cyberattack on Kenya Airways in late 2023, which resulted in the loss of significant customer data.

    UPDATE: BRS Confirms Data Breach, Investigation Underway

    The BRS has officially confirmed reports of a data breach affecting its company registry database.

    In a statement on Sunday, February 2, BRS Director General Kenneth Gathuma acknowledged the breach and stated that the agency had initiated an immediate response.

    “Upon receiving this information, we immediately activated our Incident Response Plan, launched a comprehensive investigation, and notified the relevant regulatory authorities,” the statement read.

    BRS further stated that its cybersecurity experts are working closely with law enforcement, investigative agencies, and cybersecurity partners to determine the extent of the breach and implement necessary containment measures.

    “Our cybersecurity experts, in collaboration with our cybersecurity partner, law enforcement, and investigative agencies, are assessing the scope of the incident, determining any potential impact, and implementing necessary containment and mitigation measures,” the agency added.

    BRS Director General Kenneth Gathuma.

    However, BRS noted that it is still in the process of verifying the details of the breach, including the nature and impact of any compromised data.

    “At this stage, we are still verifying the details of the alleged breach, including the nature and extent of any compromised data,” the statement continued.

    The agency assured stakeholders that affected parties would be directly engaged once the investigation is concluded.

    Strengthening Security Measures

    To mitigate further risk, BRS has implemented additional security measures to reinforce its cybersecurity infrastructure and prevent future incidents.

    Additionally, the agency has pledged to maintain transparency throughout the investigation process, promising regular updates to the public and business stakeholders.

    “Once the investigation is complete, we will provide an update and directly engage with any affected parties,” BRS stated.

    BRS has also called for cooperation from all relevant parties as it works toward a swift resolution.

    “We want to assure all stakeholders that the security and integrity of the company registry remain our top priority. As a precautionary measure, we have strengthened our security protocols to safeguard our systems and prevent future incidents,” added Director General Gathuma.

    The investigation is ongoing, with further updates expected as new information becomes available.