The High Court has scheduled a date to deliver its judgment on a petition accusing Safaricom PLC of overseeing a massive data breach that reportedly impacted over 11.5 million subscribers. The court reached this stage following the conclusion of both oral and written submissions from all involved parties.
A group of subscribers initiated the legal battle, alleging that the telecommunications giant failed its legal obligations as a data controller to protect sensitive personal information. The petitioners claim that between 2018 and 2019, rogue employees exploited Safaricom’s systems in a coordinated and prolonged scheme. They argue these individuals unlawfully extracted subscriber data and shared it with third parties, such as betting firms, for financial profit.
“WhatsApp chat messages by the Respondent’s employees reveal more than just ordinary data harvesting and hawking. It shows that Respondent had granted unlimited access to its employees to violate personal data…” reads the court documents in part.
Represented by Mola Kimosop Advocates, the petitioners contend that the giant telco failed to implement necessary safeguards. They argue that Safaricom allowed its staff to access and sell private information while benefiting from the illegal arrangement, and they now demand that the company take full responsibility for the breach.
Austin Taabu and ten other petitioners contend that the breach was systemic rather than incidental, alleging a severe violation of their constitutional rights to privacy, dignity, and consumer protection.
In their submissions, they argue that Safaricom, as Kenya’s dominant telecommunications provider, failed to implement even the most basic safeguards while “systematically” harvesting and commercializing the intimate personal, financial, and geolocation data of 11.5 million subscribers over a sustained period. They assert that this was not merely an isolated incident from 2019 but an “atrocious, profit-driven violation” of the Constitution that now demands the strongest legal vindication.
Safaricom has strongly opposed the petition, dismissing it as a “textbook case of abuse of court process” and urging the court to reject it entirely. The company argues that the matter is already entangled in multiple ongoing legal battles, including a separate constitutional petition, various civil suits, and a criminal case – all originating from the same alleged data breach.
Safaricom maintains that filing parallel or successive lawsuits on the same subject constitutes “forum shopping,” a practice it argues undermines the efficient administration of justice. Citing the legal precedent of Satya Bhama Gandhi v Director of Public Prosecutions & 3 Others, the company asserts that litigants must not pursue multiple legal processes simultaneously in an attempt to secure a more favorable outcome.
The telecommunications firm also challenges the evidentiary basis of the petition, arguing that the subscribers have failed to prove that the alleged breach actually compromised their personal data. Safaricom contends that the petitioners rely on general claims and M-Pesa transaction statements, which do not sufficiently establish that their private information was accessed or shared.
Furthermore, the company disputes the existence of the alleged 11.5 million subscriber dataset, stating that no admissible evidence proves such a collection was ever compiled or transmitted.
A central point of contention involves the affidavit of Benedict Kabugi. Safaricom argues this document is inadmissible because the petitioners introduced it as an annexure rather than a formal filing. The company also points out that Kabugi is neither a party to the case nor an independent witness, noting that he currently faces criminal charges linked to the alleged breach. Consequently, Safaricom describes his testimony as self-serving and unreliable.
Regarding liability, Safaricom insists the court cannot hold it constitutionally responsible for the criminal acts of former employees. The company argues that these individuals acted outside the scope of their employment for personal gain. It maintains that employers are not vicariously liable for the actions of staff members who engage in personal criminal schemes unrelated to their official duties.
The High Court is expected to deliver its judgment on the matter on May 13, 2026.
