A Nairobi businessman, Benedict Kabugi Ndung’u, has strongly denied claims by Safaricom PLC that he attempted to sell leaked subscriber information to the popular betting company SportPesa, calling the allegations “false, malicious, and a cover-up attempt.”
Kabugi, who has filed a data breach lawsuit against Safaricom, accuses the telecommunications giant of negligence in protecting sensitive customer information. He insists that the company is now fabricating stories to shift public and legal scrutiny away from its own internal failures.
Background: The 11.5 Million Subscriber Data Leak
The controversy stems from the alleged leak of personal information belonging to over 11.5 million Safaricom subscribers. The leaked data reportedly contained names, ID numbers, phone numbers, and M-Pesa transaction histories — data that, if confirmed, would constitute one of the largest breaches in Kenya’s corporate history.
According to court documents, Kabugi claims he was among the first to alert Safaricom about the breach and offered to help the company trace the individuals responsible for the illegal access and distribution of the data. However, he says his cooperation was misrepresented as an attempt to profit from the information.
Safaricom Accused of Fabricating the Sale Allegations
Kabugi told the court that the claim he tried to sell data to SportPesa was a fabrication made after multiple verbal and written requests from Patrick Kinoti M’Arithi, the Head of Ethics and Compliance at Safaricom.
He says Kinoti personally contacted him several times and even paid him Ksh 50,000 via M-Pesa on May 25, 2019, allegedly to facilitate meetings between him and individuals who were in possession of the leaked data.
“The money was intended to help arrange meetings with those in possession of the data,” Kabugi stated in his affidavit, adding that the meetings were organized with Safaricom’s full knowledge and participation.
Kabugi also named Charles Njuguna Kimani and Mark Billy Nderitu as the two individuals who allegedly held the compromised subscriber data. He said Safaricom’s agents were fully aware of his plan to meet them, as part of efforts to confirm the authenticity and source of the leak.
“Keep the Deal Warm,” Safaricom Agent Allegedly Told Him
In a detailed testimony, Kabugi recounted how Kinoti allegedly instructed him to “keep the deal warm,” a statement he interpreted as a directive to maintain communication with the individuals involved in the leak.
He claimed Safaricom’s Ethics Department was using him as a link to reach the data holders, yet the same department later turned around and accused him of plotting to sell the information to SportPesa.
“I was acting on Safaricom’s behalf the entire time,” Kabugi told the court. “Every meeting I held, every message exchanged, was with their knowledge. To accuse me now of attempted sale is dishonest and defamatory.”
Denial of Extortion Allegations
Kabugi also rejected Safaricom’s assertion that he tried to extort Ksh 100 million from the company in exchange for disclosing the identity of the source of the data.
He maintained that he never demanded any payment from Safaricom and, in fact, cooperated freely with both the company and law enforcement officers in tracing the individuals behind the breach.
According to his lawyers, Kabugi’s cooperation led to significant leads that helped investigators identify and apprehend suspects connected to the breach.
“He offered full assistance to Safaricom and investigators without asking for any compensation,” his legal team stated. “The extortion claim is baseless and intended to paint him as a criminal rather than a whistleblower.”
Legal Battle Over Data Privacy and Corporate Responsibility
The case has sparked national debate over data privacy, corporate accountability, and consumer protection in Kenya. Experts say it could become a landmark ruling under the Data Protection Act, 2019, which enshrines the right of Kenyans to have their personal information handled responsibly by companies and government agencies.
If proven, the breach would not only raise questions about Safaricom’s cybersecurity protocols but also its ethical responsibility to notify affected customers and mitigate potential harm.
Data protection lawyer Dr. Mercy Wekesa noted that the case highlights gaps in how corporations handle data breach incidents.
“Transparency is critical when breaches occur,” she said. “Blaming third parties without admitting systemic weaknesses only undermines public trust.”
Safaricom’s Reputation and the Growing Risk of Data Misuse
Safaricom, Kenya’s largest telecommunications company, handles massive volumes of sensitive data daily through its M-Pesa, mobile network, and digital services. The company has often emphasized its commitment to cybersecurity and ethical data handling.
However, this case adds to a growing list of complaints and legal challenges relating to data privacy, SIM swap fraud, and M-Pesa-related scams. Consumer rights groups argue that the telco must strengthen transparency and communication whenever data incidents occur.
Digital rights activist Eric Mwangi commented that large firms like Safaricom must recognize their duty to safeguard customer data as part of their social contract with the public.
“The trust Kenyans place in Safaricom is enormous. When that trust is broken, the company must take responsibility rather than deflect blame,” Mwangi said.
Kabugi’s Next Steps in Court
Kabugi’s lawsuit seeks damages for alleged defamation and violation of his privacy rights. He also wants the court to compel Safaricom to publicly acknowledge the data breach and issue an official apology.
He has further requested the Office of the Data Protection Commissioner (ODPC) to intervene and conduct an independent audit of Safaricom’s data protection systems.
The case is set for a mention in November 2025 before the Milimani High Court, with both parties expected to submit additional evidence and witness statements.
The Broader Picture: Kenya’s Growing Data Privacy Concerns
Kenya’s data protection landscape is still evolving, with increasing scrutiny on how both public and private institutions collect, store, and use personal information. The Data Protection Act provides individuals with the right to know how their data is used — and to seek legal recourse if mishandled.
Kabugi’s case could, therefore, set a precedent for how data-related disputes are handled between large corporations and private citizens in Kenya.
“This is not just a case about one man versus a telco,” said one analyst. “It’s about accountability, transparency, and trust in the digital economy.”
source:nairobitimez