Kenya Insights

Tag: Safaricom data breach

  • THE RECKONING: How a Coffin Photo, a Framed Student, and a Telecom Giant’s Admission in Open Court Are About to Trigger Kenya’s Biggest Privacy War

    THE RECKONING: How a Coffin Photo, a Framed Student, and a Telecom Giant’s Admission in Open Court Are About to Trigger Kenya’s Biggest Privacy War

    Danstan Omari Calls on Millions of Kenyans to Join a Potentially Trillion-Shilling Constitutional Onslaught Against Safaricom After Court Exposes Systematic Subscriber Data Sharing Without Judicial Oversight

    There is a moment in every landmark legal battle when the central question stops being about money and becomes about something far more profound. That moment arrived in Courtroom Three of the Milimani Chief Magistrate’s Court on February 18, 2026, when a Safaricom employee took the witness stand and quietly confirmed, under cross-examination, that Kenya’s dominant telecommunications operator had handed the personal data, location records, and subscriber details of a twenty-four-year-old finance student to the Directorate of Criminal Investigations, without a court order, without judicial authorisation, and apparently without hesitation.

    The student, David Oaga Mokaya of Moi University, was promptly acquitted of all charges by Senior Principal Magistrate Caroline Nyaguthii Mugo. The prosecution collapsed under the weight of its own procedural lawlessness. But the courtroom revelation, made under oath by Safaricom employee Daniel Hamisi, has ignited a legal firestorm that threatens to engulf not only the Nairobi Stock Exchange’s most capitalised company but the entire framework governing how telecommunications operators cooperate with Kenya’s security apparatus.

    Advocate Danstan Omari, the combative and media-savvy lawyer who led Mokaya’s defence alongside colleagues Shadrack Wambui and Martina Swiga, stepped outside the court building minutes after the acquittal and delivered a declaration that reverberated far beyond the immediate case. He was not simply announcing a Sh200 million compensation claim. He was sounding a mobilisation call to every Kenyan subscriber who has ever wondered whether their most intimate digital information, their location at any given hour, their communications, their financial transactions, their very movements through Kenyan space and time, is genuinely protected by law or merely by corporate assurances that have, in this instance, been exposed as legally hollow.

    “This is not just about David Mokaya,” Omari told reporters, his voice carrying the precision of a man who had been waiting for precisely this factual foundation. “It is about restoring sanity to the telecommunications sector. Every Kenyan whose privacy has been violated in this manner now has a justiciable claim. Come forward. We will go to the High Court together.”

    A Social Media Post, a Presidential Coffin, and a Trial That Should Never Have Happened

    The sequence of events that led to this moment began in November 2024 with an image circulated on X, formerly Twitter. The post depicted a funeral procession, a casket draped in the Kenyan flag, and a caption that prosecutors alleged was designed to mislead the public into believing President William Ruto had died. Mokaya was identified as the suspect, arrested in Eldoret on November 15, 2024, and charged under the Computer Misuse and Cybercrimes Act with publishing false information.

    What emerged during the trial was more damaging to the prosecution than to the accused. DCI Chief Inspector Bosco Kisau confirmed in testimony that investigators had sent a written request to Safaricom on November 14, 2024, the day before the arrest, seeking Mokaya’s phone number, location data, and subscriber details. The request was signed by a senior DCI officer. There was no court order attached. There was no judicial oversight applied. Hamisi, appearing on behalf of Safaricom, confirmed the company released the data the same day it received the request, on the basis of that letter alone. Defense counsel Ian Mutiso pressed the DCI officer directly: was he aware that subscriber details could only be released to a third party pursuant to a court order? The officer admitted he was not aware of the High Court ruling establishing that requirement.

    Magistrate Mugo acquitted Mokaya on all counts. She found that prosecutors had failed to conclusively link him to the disputed post, that key digital evidence had been obtained without valid court orders authorising search and extraction, and that the entire investigation was procedurally compromised from its foundation. Mokaya’s phone, laptop, and national identification card had been seized before any search warrant was obtained. The digital examination that followed was constitutionally inadmissible. The case was, in the court’s assessment, built entirely on an unlawful base.

    Omari, speaking with evident anger, noted that his client “can’t even talk due to mental trauma and shock” following more than a year of prosecution for something he did not do, on the basis of data his telecommunications provider surrendered without a single judge being consulted.

    The Demand Letter, the Constitutional Petition, and the Warning That Came With It

    Within hours of the acquittal, the legal team issued a forty-eight-hour demand notice to Safaricom PLC, seeking Sh200 million in compensation. The notice grounded its claims in Article 31 of the Constitution of Kenya, 2010, which guarantees every person the right not to have their privacy of their person, home, or property infringed; the right not to have their possessions seized; and the right not to have their communications infringed. The team also cited Article 28, which protects human dignity, arguing that personal data, location information, and communications records fall squarely within its protection, as well as the Data Protection Act, 2019, which establishes specific obligations on data controllers regarding consent, purpose limitation, and lawful disclosure.

    Safaricom did not pay. Through its lawyers, the company denied the allegations as “not only false but also malicious,” reiterating its publicly stated position that it only releases customer information when explicitly required by law or by court order. The constitutional petition was filed at the High Court’s Constitutional and Human Rights Division the following Monday morning.

    That filing, however, is only the beginning of what Omari has mapped out as a rolling legal campaign. He has explicitly invited all Kenyans who believe their data was disclosed to security agencies, the DCI, the National Police Service, or any other authority, without court sanction, to contact his chambers and join what he has characterised as a potential class action of historic proportions. The arithmetic of that ambition is staggering. Safaricom holds subscriber data for approximately forty-six million Kenyans. If even a fraction of those subscribers could demonstrate unlawful disclosure, the aggregate compensation exposure would run into figures that make the Sh200 million anchor claim look modest by comparison.

    Omari has publicly raised the spectre of a Sh1 trillion lawsuit against the company, should the scope of affected subscribers be as wide as civil society groups and investigative journalists have long alleged.

    A Company Under Siege From Every Direction

    It would be tempting to dismiss the Mokaya case as an isolated procedural failure, a single DCI officer who did not know the rules, a single Safaricom employee who complied too readily. The broader record of litigation and investigative reporting makes that characterisation impossible to sustain.

    Safaricom faces a staggering Sh115 trillion lawsuit after two former senior managers allegedly conspired with external accomplices to create an algorithm mining subscriber data based on betting patterns, stealing detailed personal information on 11.5 million Kenyans, including full names, national ID numbers, passport numbers, gambling transaction histories, M-Pesa details, and precise subscriber locations. Settlement talks in this case collapsed in October 2025, and it is now headed for full trial.

    In February 2025, the company was named as a defendant in a separate Sh1.432 billion suit arising from an alleged breach of a central development server in its finance department, a breach claimed to have exposed approximately forty-three million customer records.

    Then there is the M-TIBA breach, in which hackers claimed to have stolen over 2.15 terabytes of data from Safaricom’s mobile health platform, potentially exposing the records of up to 4.8 million users including medical diagnoses and billing records.

    The pattern extends beyond data breaches into the relationship between the company and the state’s coercive machinery.

    In October 2024, investigations by Nation Africa revealed that Safaricom’s partner Neural Technologies created software that automated security agencies’ access to the company’s call data records.

    Among the tools provided was a browser portal that could allow security agency officers in the field to track people in real time, as well as a visualisation function colloquially described internally as “Find My Friends,” enabling police to predictively profile individuals based on patterns of movement and association.

    Safaricom also filed a strategic litigation against public participation suit against a journalist who sought to disclose information regarding the company’s data-sharing practices with police between June and October 2024, at the height of protest-related abductions and enforced disappearances.

    That legal manoeuvre, far from projecting confidence, confirmed in the eyes of critics that there was something the company did not want a court to examine. The Kenya Human Rights Commission and Muslims for Human Rights subsequently issued a formal open letter demanding accountability; Safaricom’s lawyers again deployed the adjective “malicious” in response.

    The 2024 anti-Finance Bill protests, during which civil society groups accused Safaricom of facilitating the tracking of demonstrators in real time, generated particular public anger and are likely to produce their own tranche of potential claimants. At least sixty people died during that crackdown. The question of who was tracked, by what means, and on whose authority, has never been publicly and judicially resolved.

    What the Law Actually Requires

    The legal framework Omari is deploying is not novel, but the Mokaya case has provided something that previous accusations lacked: sworn testimony in a concluded criminal proceeding, from Safaricom’s own witness, confirming the practice. That shifts the case from allegation to admission.

    Lawyer Danstan Omari
    Lawyer Danstan Omari

    The Data Protection Act, 2019, governs how organisations holding personal data may process and disclose it. Section 26 provides data subjects with the right not to have their personal data processed except in accordance with the Act. Schedule 1 lists the limited conditions under which processing is lawful; cooperation with law enforcement is permissible, but not unconditional.

    A July 2025 High Court ruling added further constitutional weight to this framework, finding that once IMEI identifiers are linked to a user, they constitute personal data and merit constitutional protection, a ruling that narrows the space for casual sharing of technical subscriber information that Safaricom might previously have characterised as non-personal.

    The courts have previously allowed class action mechanisms to operate against Safaricom in data-related matters. In an earlier case involving the collection of banking information through SIM registration, a High Court judge permitted senior counsel to publish newspaper notices inviting subscribers to join a constitutional petition. The legal infrastructure for aggregating individual claims therefore already exists and is familiar to the judiciary. Omari’s invitation to Kenyans is not rhetorical speculation; it is a procedurally viable litigation strategy.

    The No-Win Arithmetic of a Corporate Giant

    Legal analysts who reviewed the Mokaya claim for this publication described Safaricom’s position as structurally precarious, regardless of the outcome of any individual case. If the company contests the constitutional petition and loses, it will have created binding precedent that gives a judicially validated cause of action to every subscriber whose data was disclosed without court authorisation. If it settles out of court, even confidentially, it concedes the principle and emboldens further claimants. If it continues to deny while court after court hears sworn testimony from its own employees about disclosure practices that are difficult to reconcile with its stated policy, the reputational damage compounds with each proceeding.

    The company reported revenues of Sh311.6 billion in its most recent financial year and holds Kenya’s dominant mobile money ecosystem through the M-Pesa platform. The Office of the Data Protection Commissioner is empowered to impose administrative penalties for Data Protection Act violations, though critics note that the current maximum fines represent a rounding error for an enterprise of Safaricom’s scale. The transformative accountability will only come through the courts, and through the kind of mass constitutional litigation that Omari is now actively assembling.

    The Human Dimension That Numbers Cannot Capture

    In the focus on figures, it is easy to lose sight of what a Sh200 million claim is actually compensating for. David Mokaya was pulled from his student accommodation in Eldoret, his devices seized, his name placed in the public record as a criminal suspect, his academic year disrupted, and his mental health damaged, all because a police officer wrote a letter and a telecommunications company replied by email with his personal information, without either party pausing to ask a judge whether any of it was lawful. Magistrate Mugo concluded from the evidence that he had been framed. The post may not even have been genuine.

    Omari described Mokaya’s condition after acquittal in terms that go beyond legal vocabulary. A young man who was studying finance, planning a future, and exercising his right to exist in a digital space, had been transformed into a defendant and a spectacle. His data, the intimate technical trace of his life, had been weaponised against him by the very system of law that the Constitution was designed to constrain.

    That is the story that Omari is now telling to every Kenyan who holds a Safaricom SIM card, which is to say, to almost every Kenyan adult. The next person whose location is sold to an investigator with a letter and no court order may not be a student posting images online. It may be a journalist, an opposition politician, a union organiser, a protester, a businessperson, or simply someone who was in the wrong place when a DCI officer’s map turned red. The constitutional petition in the Mokaya case will decide whether that possibility can continue unchallenged.

    What Comes Next

    The High Court’s Constitutional and Human Rights Division will hear the petition. Mokaya’s team is expected to seek conservatory orders restraining further disclosure of subscriber data without judicial sanction, pending the determination of the substantive claim. The court may, as it has done in previous Safaricom class action matters, direct publication of a notice inviting affected Kenyans to join the proceeding or register as interested parties.

    The Office of the Data Protection Commissioner may also be expected to take a position, given that the sworn testimony in the criminal trial effectively placed on the public record a disclosure practice that, on its face, is inconsistent with the statutory framework the Commissioner is mandated to enforce.

    Safaricom’s response to the constitutional petition, when filed, will be scrutinised for whether the company retreats from its lawyers’ characterisation of the claims as “malicious” in the face of its own employee’s sworn account of what occurred.

    What is certain is that the legal, regulatory, and reputational landscape Safaricom occupied before February 18, 2026 no longer exists. The Mokaya acquittal did not merely free one student. It generated a judicial record, a public admission, and a constitutional cause of action that advocates are now scaling into something that could reshape the relationship between corporate Kenya, the security state, and the forty-six million subscribers whose most intimate data sits on Safaricom’s servers.

    As Omari put it, with the kind of simplicity that good lawyers deploy when the facts require nothing more complex: “For the police to obtain your location or personal data from Safaricom, they must first obtain a court order. Without that order, any disclosure is unconstitutional.”

    The question now is whether enough Kenyans believe that to fill the High Court.

  • Safaricom Faces Avalanche of Lawsuits Over Data Privacy as Acquitted Student Demands Sh200mn Compensation in 48 Hours

    Safaricom Faces Avalanche of Lawsuits Over Data Privacy as Acquitted Student Demands Sh200mn Compensation in 48 Hours

    Safaricom PLC, Kenya’s dominant telecommunications operator with more than 46 million subscribers, finds itself at the centre of an escalating legal storm that lawyers warn could unleash a torrent of constitutional petitions challenging how the company has handled customer data when cooperating with law enforcement agencies.

    The crisis was triggered by a ruling handed down on February 19 by Principal Magistrate Carolyne Nyaguthii Mugo at the Milimani Chief Magistrate’s Court in Nairobi, which acquitted David Oaga Mokaya, a 24-year-old university student, of cybercrime charges.

    Prosecutors had alleged that Mokaya published a manipulated social media image depicting a funeral procession with a casket draped in the Kenyan flag, captioned as showing President William Ruto’s body leaving Lee Funeral Home.

    The magistrate threw out the charges under Section 215 of the Criminal Procedure Code, finding that the prosecution had failed to prove its case beyond reasonable doubt. Crucially, she excoriated investigators for seizing and forensically examining Mokaya’s electronic devices without first obtaining valid court orders — a procedural failure she said rendered the evidence obtained constitutionally inadmissible.

    Within hours of the acquittal, Mokaya’s legal team — comprising advocates Danstan Omari, Shadrack Wambui, and Martina Swiga — issued a 48-hour demand notice to Safaricom PLC, seeking Sh200 million in damages for what they describe as the unlawful disclosure of their client’s location data and personal information to investigators in the absence of a court order.

    The demand threatens constitutional proceedings at the High Court’s Constitutional and Human Rights Division should Safaricom decline to admit liability.

    ‘For the police to obtain your location or personal data from Safaricom, they must first obtain a court order. Without that order, any disclosure is unconstitutional.’ Danstan Omari, advocate for David Mokaya

    The ‘Hard Place and the Rock’ Dilemma

    Legal analysts and market observers are already describing Safaricom’s predicament as a no-win situation. If the company contests the claim and loses at trial, it faces the prospect of opening the floodgates to thousands of similar lawsuits from Kenyans who believe their data was shared with the Directorate of Criminal Investigations (DCI) or other security agencies without judicial authorisation.

    Conversely, should the company settle out of court, the precedent set by even a confidential agreement could embolden further claimants.

    The stakes are particularly high given what lawyers describe as systematic and longstanding data-sharing practices between Safaricom and law enforcement.

    In November 2024, an investigation by journalists Namir Shabibi and Claire Lauterbach, published in partnership with Kenya’s Daily Nation, alleged that Safaricom had, for years, given security agencies virtually unfettered access to subscriber data — including call data records (CDRs) and real-time location information — without court orders, facilitating the tracking of suspects later linked to enforced disappearances and extrajudicial killings.

    The Kenya Human Rights Commission (KHRC) and Muslims for Human Rights (MUHURI) issued a formal open letter to Safaricom in late 2024 demanding an accounting of the allegations and warning of legal consequences.

    Safaricom, through its lawyers, denied the allegations as “not only false but also malicious.” The company has maintained publicly that it shares customer data only when “explicitly required via a court order.”

    A Company Already Besieged

    The Mokaya case is far from the only data-related litigation confronting the Nairobi Stock Exchange-listed company.

    In 2025, Safaricom was named as a defendant in a KES 1.432 billion lawsuit filed in February, arising from an alleged breach of a central development server in its finance department that is claimed to have exposed approximately 43 million customer records.

    That suit also names the Attorney General and the Director of Public Prosecutions, with the complainant alleging that the DCI and the Serious Crimes Unit conspired with Safaricom to suppress evidence and fabricate exhibits.

    Separately, two former senior Safaricom managers stand accused in both civil and criminal proceedings of extracting and attempting to sell personal data belonging to 11.5 million subscribers — approximately 23 per cent of the company’s customer base — to a major sports betting firm.

    That data cache included full names, national ID numbers, passport numbers, M-Pesa transaction histories, precise location data, and gambling records, representing what some have characterised as potentially the largest corporate privacy violation in African history. The civil case, in which settlement talks collapsed in October 2025, is now headed for a full hearing.

    In February 2025, the Office of the Data Protection Commissioner (ODPC) ordered Safaricom and Becton Dickinson East Africa to pay damages of Sh250,000 each for unlawfully processing the personal data of a former employee, Catherine Kainyu Murithi, without her consent — a ruling that, while modest in quantum, established a precedent for regulatory accountability.

    ‘The David Mokaya case is a landmark decision that is going to bring sanity to the telecommunications sector.’ Danstan Omari, advocate

    The Constitutional Framework

    Kenya’s Data Protection Act, enacted in 2019, established comprehensive obligations on data controllers and processors, including telecommunications companies, prohibiting the sharing of personal data without the data subject’s consent or a lawful basis such as a court order.

    The Act is enforced by the ODPC, which has gradually stepped up its regulatory posture in recent years.

    The constitutional dimension of the Mokaya claim rests primarily on Article 31, which guarantees every person the right to privacy including in respect of their communications, home, and personal information, and Article 28, which protects human dignity.

    The legal team argues that personal data — messages, contacts, location, and financial records — are extensions of a person’s dignity and are entitled to heightened protection.

    The Milimani ruling reinforces a growing body of Kenyan jurisprudence holding that electronic devices attract “heightened constitutional protection” by virtue of the extensive personal data they contain, and that any search or extraction of that data must be preceded by proper judicial authorisation.

    The magistrate’s explicit condemnation of the investigators’ failure to produce valid warrants during the Mokaya trial is already being cited by legal practitioners as a significant elaboration of digital rights standards.

    Potential Floodgate of Claims

    Human rights lawyers and civil society organisations warn that the Mokaya judgment, if the constitutional petition proceeds and succeeds, could open the way for a far larger wave of litigation.

    Thousands of Kenyans who were arrested, prosecuted, or subjected to surveillance in cases that relied on subscriber data shared by Safaricom without a court order may now have a constitutional cause of action against the company.

    The 2024 anti-Finance Bill protests, during which civil society groups accused Safaricom of facilitating the tracking of demonstrators in real time, generated particular public anger and are likely to produce their own tranche of potential claimants.

    Advocate Omari described the forthcoming petition as “potentially precedent-setting,” arguing it would compel the courts to definitively resolve how telecommunications companies must balance cooperation with law enforcement against their constitutional and statutory obligations to subscribers.

    Danstan Omari.

    “This case could redefine how telecom companies cooperate with law enforcement agencies,” he said, adding that its implications for digital surveillance practices would be “far-reaching.”

    In Kenya, courts have already allowed class action suits to proceed against Safaricom, with the High Court in an earlier case permitting senior counsel to publish notices inviting subscribers to join constitutional petitions.

    The legal infrastructure for aggregated claims therefore already exists and is familiar to the judiciary.

    Safaricom’s Position and Commercial Exposure

    Safaricom, which reported revenues of Sh311.6 billion in its most recent financial year and holds a dominant position in Kenya’s mobile money ecosystem through its M-Pesa platform, has not publicly responded to the Mokaya demand notice as of the time of publication.

    The company’s published privacy policy states that it does not share customer information unless required by law or a court order, and it holds multiple internationally recognised data security certifications, including ISO 27701 and ISO 27001.

    It is regulated by the ODPC, the Communications Authority of Kenya, and the Central Bank of Kenya.

    The company has historically maintained that interactions with its Law Enforcement Liaison Office operate within the bounds of the law.

    However, critics argue that the very existence of a dedicated liaison structure facilitating data flows to security agencies — particularly given findings about CDR handling and alleged manipulation of records surfaced in investigative journalism — points to systemic practices that courts have yet to fully scrutinise.

    Investors tracking Safaricom’s shares on the Nairobi Securities Exchange will note that a sustained legal campaign, particularly one that captures public attention and attracts additional petitioners, carries not only direct financial liability but reputational damage in a market where trust in data stewardship is increasingly valued by both consumers and institutional stakeholders.

    What Happens Next

    The 48-hour ultimatum issued to Safaricom expired on February 22, 2026. Should the company fail to respond or decline to admit liability, Omari has committed to filing a constitutional petition at the High Court the following Monday morning.

    A successful petition seeking Sh200 million in damages would, legal practitioners note, not be the end but the beginning: it would crystallise a cause of action that tens of thousands of Kenyans could replicate.

    The case also arrives at a moment of heightened scrutiny for the relationship between African telecommunications companies and state security apparatus more broadly.

    From Nigeria to Ethiopia to South Africa, regulators and civil society groups have pushed for clearer legal frameworks governing when and how network operators may disclose subscriber data to authorities.

    The outcome of the Mokaya constitutional petition, and any eventual class action that follows, is therefore likely to be watched beyond Kenya’s borders.

    For Safaricom, caught between the demands of law enforcement agencies that depend on its cooperation and the constitutional rights of the 46 million subscribers whose data it holds, the Mokaya case has crystallised a tension that the company can no longer defer.

    The question now is not whether it will face a wave of data privacy litigation, but how large and how organised that wave will be.