For years, Safaricom has marketed itself as the trusted custodian of Kenya’s digital life.
From M-Pesa transactions and mobile communications to personal identity records and location data, millions of Kenyans have handed over their most sensitive information to the country’s largest telecommunications company with the expectation that it would be protected.
But a recent High Court judgment has reopened uncomfortable questions about one of the most serious data privacy scandals in Kenya’s corporate history, raising concerns not only about how the data was allegedly stolen, but also about what happened after Safaricom discovered the breach.
At the centre of the controversy is the alleged theft of personal data belonging to approximately 11.5 million subscribers. Court records indicate that the information included names, identification details, betting histories, financial transaction records, device information and location data. The data was allegedly extracted by senior employees who had privileged access to Safaricom’s systems and later sold to entities in the betting industry including Odibets and Betika.
What makes the case particularly explosive is that while Safaricom supported criminal proceedings against the employees accused of stealing the data, questions remain over why the companies alleged to have purchased the information were never subjected to similar scrutiny.
The High Court judgment delivered in May 2026 found that Safaricom violated constitutional rights relating to privacy, dignity and consumer protection. The ruling awarded compensation to a group of petitioners and placed renewed attention on the company’s handling of the breach and its obligations to customers.
Safaricom has continued to do business with the betting firms by allowing transactions through M-Pesa.
For many observers, the most troubling aspect of the saga is what happened after the company became aware of the breach.
Millions Kept in the Dark
Data breaches have become a fact of life in the digital age. What often determines public reaction is how companies respond once they discover a problem.
Across global markets, major corporations typically notify customers, warn them of potential risks and provide guidance on how to protect themselves from fraud or identity theft.
Critics argue that Safaricom did the opposite.
According to court filings, the company became aware of the breach years ago. Yet millions of subscribers whose information was allegedly compromised were never directly informed that their personal details may have been exposed.
As the case dragged through the courts, affected customers continued using Safaricom services without knowing that records linked to their identities, financial transactions and betting activity had allegedly been circulating outside the company’s control.
Privacy advocates say this left subscribers unable to take basic precautions against potential fraud, impersonation or other misuse of their personal information.
A Tale of Two Responses
Safaricom has consistently maintained that the breach resulted from criminal actions by rogue employees.
The company reported the matter to investigators, supported criminal prosecutions and has argued that the individuals involved acted outside the scope of their employment.
However, court records cited in the constitutional proceedings point to a more complicated picture.
The same forensic evidence being used in criminal proceedings allegedly identified entities that received or purchased the stolen information. Yet despite years of investigations and litigation, attention has remained focused almost exclusively on the individuals accused of stealing the data.
That has fuelled criticism from privacy campaigners and consumer rights advocates who question why the alleged sellers faced prosecution while the alleged buyers escaped similar public scrutiny.
The issue becomes even more sensitive when viewed through the lens of business relationships.
Many betting companies are among the largest users of M-Pesa’s payment infrastructure. Every transaction processed through the platform generates revenue for Safaricom. The result is an uncomfortable perception problem for the telecom giant.
Critics argue that pursuing former employees carried limited commercial consequences, while aggressively targeting companies linked to significant transaction volumes could have created financial and reputational risks.
Safaricom has denied benefiting from the breach, and the court stopped short of making a definitive finding on whether the company financially gained from the alleged misuse of customer information.
Even so, the perception of a conflict between commercial interests and customer protection continues to cast a long shadow over the case.
The Governance Question
Beyond the legal battles lies an even bigger corporate governance issue.
How could data relating to millions of subscribers allegedly leave one of Africa’s most sophisticated telecommunications networks without triggering immediate alarms?
The case has exposed concerns about internal controls, access management, oversight mechanisms and accountability within organisations that hold vast quantities of personal information.
The High Court’s findings suggest the breach was not merely the result of individual misconduct but reflected wider failures in data governance and security safeguards.
For investors, regulators and consumers alike, that conclusion may prove more damaging than the breach itself.
Trust Is the Real Currency
Safaricom’s greatest asset has never been its towers, fibre network or payment systems.
It has been trust.
Customers trust the company with their savings, their communications, their locations and increasingly their digital identities.
That trust is now facing one of its most significant tests.
Seven years after the breach first came to light, millions of subscribers are still asking questions. Who has their data? Where is it now? How many copies exist? Was it used for commercial targeting? And why were they never informed?
The High Court has provided some answers.
Many more remain unresolved.
For Safaricom, the legal consequences may ultimately be measured in compensation claims, regulatory action and shareholder scrutiny.
For customers, however, the issue is far simpler.
The company that knew their data had allegedly been stolen never told them.
And for many Kenyans, that may prove to be the hardest fact to forgive.
There's no story that cannot be told. We cover the stories that others don't want to be told, we bring you all the news you need. If you have tips, exposes or any story you need to be told bluntly and all queries write to us [email protected] also find us on Telegram
