A high-stakes legal battle involving Safaricom and businessman Benedict Kabugi has intensified following explosive allegations linking him to the unlawful extraction and commercial use of subscriber data belonging to millions of Kenyans.
The case, which is already being described as one of the most significant data privacy disputes in Kenya’s history, centres on claims that sensitive information belonging to approximately 11.5 million Safaricom customers was accessed, transferred, and allegedly circulated outside the company’s systems without consent.
According to court filings and legal documents cited in the proceedings, the compromised data is said to have included customer names, phone numbers, identity document details, location data, handset information, M-Pesa transaction records, and behavioural data linked to betting activity.
Safaricom has alleged that the breach occurred between 2018 and 2019 and involved two former senior employees who are said to have collaborated with Kabugi in extracting the information from internal systems. The company further claims the data was moved into encrypted cloud storage before being copied onto external devices, some of which have not been recovered.
The telecommunications firm maintains that the information was not merely stolen but was also positioned for commercial exploitation, particularly within Kenya’s betting industry, where detailed consumer data is highly valuable for targeted marketing and customer profiling.
Allegations of Extortion
At the centre of the dispute are also allegations that Kabugi sought financial gain following the exposure of the alleged breach. Safaricom has accused him of demanding Sh100 million in exchange for withholding further disclosures and revealing the origins of the stolen data.
Those allegations led to criminal charges related to demanding money with menaces, which Kabugi has denied.
He has consistently maintained that he acted as a whistleblower who exposed serious vulnerabilities within Safaricom’s data protection systems rather than participating in any unlawful scheme.
Safaricom, however, disputes this narrative, insisting that Kabugi’s actions were motivated by personal financial interests and not public interest concerns.
Landmark Court Findings
The dispute escalated significantly after a High Court ruling in May 2026 found Safaricom liable for violating the constitutional rights of subscribers affected by the data exposure.
The court determined that Safaricom could not shift full responsibility to rogue employees, ruling that the company bore constitutional and statutory obligations to protect subscriber information.
In its judgment, the court held that personal data—including financial records, betting-related activity, and location information—had been unlawfully accessed and disseminated beyond authorised systems.
Eleven affected subscribers were awarded damages, alongside costs and interest, setting a major precedent in Kenya’s evolving data protection jurisprudence.
Betting Industry Link Under Scrutiny
Court documents and investigative materials referenced during proceedings have also drawn attention to the alleged movement of subscriber data into commercial networks linked to Kenya’s betting sector.
Investigators are said to have reviewed digital evidence suggesting that the information may have been used to construct behavioural profiles of customers, including spending patterns and gambling activity.
The revelations have intensified scrutiny of the intersection between mobile money systems, telecommunications data, and the rapidly expanding betting industry, where consumer analytics can provide a significant competitive advantage.
Kabugi’s Defence
Kabugi has denied all allegations of wrongdoing, maintaining that he played a key role in exposing the breach and pushing for accountability from one of East Africa’s largest telecommunications companies.
His legal team argues that he is being unfairly portrayed as a perpetrator despite raising concerns about data security failures that may have otherwise remained hidden.
Safaricom, on the other hand, insists that internal investigations and court proceedings point to a coordinated effort involving insiders and external actors, rather than a singular act of whistleblowing.
Wider Implications
The case has sparked broader concerns about the protection of personal data in Kenya’s increasingly digital economy, where mobile money, telecom services, and online platforms generate vast amounts of sensitive user information.
Experts warn that the alleged breach highlights systemic risks in data governance, particularly where large datasets containing financial and behavioural information can be accessed, transferred, and potentially monetised outside regulated frameworks.
Regulatory attention is expected to intensify as the case progresses, with potential implications for corporate compliance standards and enforcement of Kenya’s Data Protection Act.
Trust at Stake
Beyond legal liability, the scandal has raised questions about public trust in digital service providers handling sensitive financial and personal information.
For millions of Safaricom users, the allegations have revived concerns that their data may have been exposed beyond the company’s control and used in ways they never authorised.
As court proceedings continue, both Safaricom and Kabugi face mounting pressure to clarify their roles in a case that has become a defining test of Kenya’s data privacy regime.
The courts are now expected to determine criminal liability, civil responsibility, and the extent of any damages owed to affected subscribers.
What remains undisputed is that the case has placed one of Kenya’s most powerful corporations at the centre of a national debate on data security, corporate accountability, and the commercial value of personal information in the digital age.
