About a month and a half ago, a massive data breach at the African telecommunications company Safaricom resulted in the personal information of over 11.5 million gamblers being compromised. The data had reportedly been stolen reportedly by someone inside the company, who then tried to extort about $3 million from the company to keep it from being released into the wild. As a result, one victim of the breach, Benedict Kabugi, filed suit against Safaricom, and there is new evidence that the loss of data may extend into Europe, as well.
Two new lawsuits are preparing to be filed sometime in the next couple of weeks in both London and Paris. They are being introduced based on the General Data Protection Regulation (GDPR) of the European Union (EU), and assert that the data breach affected over 500 European citizens that reside in Kenya. Since the GDPR specifies how data of EU citizens has to be protected, even beyond EU borders, the lawsuits allege that Safaricom can be held accountable.
According to Kabugi, the case is still dragging along in court and, late last week, he and his legal team requested from the presiding judge that they be able to present the actual data as proof that Safaricom was compromised. The information has already been handed over and is now being reviewed for its authenticity. How the court rules on the legitimacy of the data could play a major role in how the London and Paris lawsuits play out.
Safaricom may be trying to use its status as one the largest telecommunications company on the continent to thwart any negative legal backlash related to the cases. Kabugi asserts that it has been pressuring media outlets such as the Nation and Standard media groups to avoid the subject, threatening them with pull out of advertising relationships that would cause them to lose major sources of income.
Kabugi, after the initial lawsuit was submitted, allegedly suffered retaliation at the hands of the police for his action. He had been arrested and thrown in jail before subsequently being released. This was an attempt, he asserts, to try to get him to back off the suit. Safaricom was able to get law enforcement to act because, as Kabugi puts it, “Safaricom has a police unit of its own which takes orders from none other than the CEO of Safaricom who is a civilian. This illegal habit is replicated in a number of big corporations here in Kenya like the Kenya Railways Corporation and the Kenya Revenue Authority.”
When the data breach occurred, it reportedly compromised the full names, identification and phone numbers, amounts gambled and other details of customers tied to Safaricom. Kabugi’s lawsuit seeks about $100,000 to be paid by the company to each of those impacted by the loss.