A looming High Court ruling could detonate one of the biggest corporate scandals in Kenya’s history, after explosive forensic evidence linked leading betting firm Odibets to the purchase and use of stolen personal data belonging to tens of millions of Kenyans.
At the heart of the case is a chilling allegation: that nearly 29.9 million Safaricom subscribers had their most sensitive personal information illegally extracted, sold, and weaponised for commercial gain, potentially fueling the rapid rise of Kenya’s booming betting industry.
A Data Breach of Unprecedented Scale
Court filings reveal that the scandal goes far beyond the previously reported 11.5 million affected users. WhatsApp forensic evidence submitted in court shows that rogue insiders accessed and exfiltrated data covering almost the entire Safaricom subscriber base between 2018 and 2019.
The stolen data reportedly included:
- Full names and national ID details
- M-Pesa transaction histories
- Betting patterns and total amounts wagered
- Phone IMEI numbers and SIM usage data
- Precise geolocation information
In one damning message dated July 17, 2018, former Safaricom employee Simon Billy Kinuthia allegedly stated: “I have the full details of our 29.9M customers backed up somewhere.”
Investigators say this was not a threat—it was confirmation that the data had already been stolen.
Direct Link to Odibets
According to forensic reports prepared by the Directorate of Criminal Investigations and supported by internal investigations from Safaricom, Odibets is among several betting firms that allegedly received and used the stolen data.
The data was not transferred in a single batch. Instead, it was sold in segments—datasets of 50,000, 100,000, and 200,000 records—tailored to meet the needs of specific buyers.
Investigators say the transactions followed a clear commercial pattern:
- Sample data was first shared with potential buyers
- Prices were negotiated
- Full datasets were delivered after confirmation of payment
Critically, Odibets entered the market in 2018—the exact period when the data theft and distribution was taking place—raising serious questions about whether its early growth was fueled by illegally obtained customer intelligence.
Inside the Alleged Operation
Witness statements and forensic timelines suggest the scheme was deeply embedded within Safaricom’s internal systems.
One implicated employee, Charles Njuguna Kimani, told investigators he was instructed during a meeting in Westlands to provide “comprehensive data” for external use. Within hours of requests, entire datasets were reportedly extracted and shared via Google Drive links.
On September 11, 2018, a request for an industry-wide dataset of 11.5 million betting subscribers was allegedly fulfilled in under five hours.
Former Safaricom ethics head Patrick Kinoti Marithi later confirmed in a sworn statement: “I established that the data could be extracted from our computer systems.”
Kareco Holdings and the Faces Behind Odibets
Odibets operates under Kareco Holdings Limited, a Nairobi-based firm with regional operations across Africa.
The company is chaired by Jimmy Kibaki, son of former President Mwai Kibaki, and has marketed itself as a homegrown success story.
Its rapid expansion—fueled by aggressive advertising, youth-focused campaigns, and deep integration with M-Pesa—helped it capture a significant share of Kenya’s betting market within a few years.
But the new allegations paint a darker picture: one of a company that may have acquired stolen personal data to identify and target vulnerable gamblers with precision.
Targeting Vulnerability?
Experts warn that the stolen datasets were far more than simple contact lists.
By combining betting histories, financial transactions, and geolocation data, companies could allegedly:
- Identify high-spending gamblers
- Track behavioral patterns
- Target financially vulnerable individuals
Critics argue this effectively turned personal data into a “psychological targeting tool”, allowing betting firms to maximise profits from addiction.
Kenya already ranks among Africa’s most gambling-active nations, with billions wagered annually and rising cases of addiction—particularly among young, unemployed men.
Legal and Criminal Exposure
The implications for Odibets could be severe.
Under the Data Protection Act, companies found to have used illegally obtained data face:
- Fines of up to Sh5 million or 1% of annual turnover
- Compensation claims from affected individuals
- Potential criminal prosecution of directors
Additional liability may arise under the Computer Misuse and Cybercrimes Act, which criminalises the use of data obtained through unauthorised access.
Regulators, including the Office of the Data Protection Commissioner and the Gambling Regulatory Authority of Kenya, also have powers to impose sanctions, suspend licences, or shut down operations entirely.
The Shocking Court Case
The upcoming ruling stems from a constitutional petition filed by lawyer Augustine Onalo on behalf of 11.5 million affected subscribers, seeking Sh1.5 million per person in damages from Safaricom.
If successful, the case could expose the telecom giant to a staggering Sh17.25 trillion liability—one of the largest potential payouts in global legal history.
While Safaricom is the primary respondent, the inclusion of forensic evidence naming Odibets shifts the spotlight squarely onto the betting industry.
Silence and Mounting Pressure
Despite the gravity of the allegations, Odibets has not publicly responded to questions regarding its alleged involvement in the data scandal.
Regulatory bodies and investigators have also remained largely silent, raising concerns about whether enforcement agencies will act if the court validates the evidence.
A Defining Moment
As the High Court prepares to deliver its judgment, the stakes could not be higher.
If the forensic evidence is upheld, the case could:
- Trigger criminal investigations into betting firms
- Reshape Kenya’s data protection enforcement
- Redefine accountability in the digital economy
For millions of Kenyans whose personal data may have been exposed, the case represents more than a legal battle—it is a test of whether corporations can exploit private information without consequence.
And for Odibets, the question now echoing across the country is simple but explosive:
Was its rise built on innovation—or on stolen data?