Safaricom Ordered to Pay KES 9.9 Million Over Customer Data Breach in Landmark Privacy Ruling

For years, the corporate playbook for surviving a massive data breach has relied on a highly effective legal shield: the “rogue employee” defense. When sensitive consumer data inexplicably makes its way into the hands of predatory third parties, corporate communications and legal teams have historically isolated the blame, pointing to a handful of bad actors operating outside their official mandates. By characterizing these leaks as unpredictable internal anomalies rather than systemic infrastructure failures, companies routinely avoided structural liability.

But a landmark ruling from the Kenyan High Court has completely shattered that shield, rewriting the rules of data governance and corporate liability across East Africa.

Justice Bahati Mwamuye ordered Safaricom PLC, East Africa’s most profitable telecommunications giant, to pay KES 9.9 million to 11 subscribers whose private information was compromised and weaponized. The ruling establishes a massive legal precedent: as a data controller, you own the security of your pipeline from end to end. If your internal architecture allows an employee to walk out the door with customer ledgers, the institution—not just the individual—will foot the bill.

The Monetization of the Ledger

The roots of the case trace back to a dark period between 2018 and 2019, when a massive structural exploit within Safaricom’s internal data environment came to light. Internal actors systematically extracted highly sensitive subscriber records and sold them directly to digital gambling platforms, most notably the betting firm Odibets.

This wasn’t just a leak of basic email addresses or phone numbers. The compromised data telemetry included:

1. High-fidelity M-Pesa financial transaction records.

2. Historical betting patterns and user profiles.

3. Official identity documents and device identifiers.

4. Real-time geolocation tracking data.

While the immediate court petition focused on 11 specific individuals who discovered their personal records had been compromised, the broader scale of the breach was staggering. Evidence presented during the proceedings indicated that the overall security failure exposed the data of more than 11.5 million Safaricom subscribers.

The petitioners argued that the unauthorized exposure of their financial and locational footprints violated their fundamental constitutional rights to privacy and consumer protection. Safaricom attempted to deflect corporate liability by arguing that the breach was the result of unauthorized, criminal actions by rogue staff members acting completely outside their employment scope.

The Imposition of Strict Liability

Justice Mwamuye’s ruling rejected Safaricom’s defense, moving Kenyan privacy jurisprudence toward a strict liability framework for data controllers. The court ruled that an organization cannot escape its constitutional obligations by blaming internal personnel. If an enterprise chooses to collect, store, and monetize massive volumes of consumer data, it bears absolute responsibility for building internal controls capable of securing that data against both external hackers and internal actors.

Under this framework, an internal data leak is no longer viewed as a human resources issue; it is classified as a fundamental failure of system architecture. The judgment notes that corporations must implement strict data access controls, real-time audit trails, and data minimization protocols to prevent internal exploitation.

The financial penalties handed down by the High Court are structured to send a clear wave through the regional corporate landscape:

• Direct Damages: Safaricom must pay KES 900,000 in general damages to each of the 11 petitioners, totaling KES 9.9 million.

• Accrued Interest: The financial awards will accumulate interest from the date the petition was originally filed, significantly increasing the final payout.

• Indemnity of Costs: In a move that raises the financial stakes of data litigation, Safaricom was ordered to cover the entire legal and litigation costs incurred by the petitioners.

The Macro Ripples for Corporate Africa

The timing of this ruling arrives at a critical juncture for Africa’s rapidly digitizing economies. As platforms scale across Kenya, Nigeria, and South Africa, corporate cap tables have increasingly treated user data as a high-yield asset. However, internal security measures have rarely kept pace with data accumulation.

By penalizing Safaricom, the court is forcing a rapid transition toward a “Zero-Trust” internal architecture. For institutions managing massive financial rails—such as banks, fintech scale-ups, and telcos—the reliance on simple perimeter firewalls is no longer legally sufficient. Security teams must now treat their own staff as potential attack vectors, hard-coding strict identity and access management (IAM) protocols that restrict data visibility to the absolute bare minimum required for execution.

Furthermore, this ruling opens the floodgates for class-action litigation. While Safaricom can absorb a KES 9.9 million judgment for 11 users, the math changes completely if a larger portion of the 11.5 million exposed subscribers file follow-on petitions under the same legal precedent. For the broader African tech ecosystem, the cost of data negligence has just been explicitly priced—and it is a liability that no balance sheet can easily ignore.

Sources & References

• [1] Techweez: Safaricom Data Breach: High Court Landmark Ruling on Privacy

• [2] WeeTracker: Kenyan High Court Strikes Down Rogue Employee Defense in Safaricom Ruling

• [3] The Star Kenya: Court awards 11 subscribers Sh900,000 each in Safaricom data privacy case

• [4] AllAfrica: Kenya: Landmark Privacy Judgment Establishes Corporate Strict Liability