On May 13, 2026, Kenya's High Court is scheduled to deliver its ruling on a petition accusing Safaricom PLC of a large-scale data breach affecting over 11.5 million subscribers. The decision follows the completion of oral and written arguments from all sides. A group of subscribers alleges that the telecommunications giant neglected its responsibility as a data controller to protect sensitive personal information.

The petitioners claim that between 2018 and 2019, Safaricom's systems were exploited through an extended, organized effort involving rogue employees. They assert that these workers illegally accessed and copied subscriber data, which was then allegedly shared with third parties—including betting companies—for financial gain.

Court documents include WhatsApp messages from Safaricom employees that, according to the petitioners, reveal more than routine data harvesting. They argue the messages show the company gave employees unrestricted access to violate personal data.

Represented by Mola Kimosop Advocates, the petitioners argue that Safaricom failed to implement adequate safeguards for subscriber data, allowed employees to access and profit from the illegal scheme, and must therefore be held accountable. Austin Taabu and ten others contend the breach was systematic rather than an isolated incident, violating their constitutional rights to privacy, dignity, and consumer protection under Articles 28, 31(c) and (d), and 46 of the Constitution.

Their submissions state that Safaricom—as Kenya's dominant telecom provider and data controller—deliberately harvested, commercialized, and distributed the most sensitive personal, financial, betting, and location data of 11.5 million subscribers over an extended period. They argue this was not merely the isolated May 2019 incident but a sustained effort for profit, carried out without basic security measures. They call for strong legal remedies under Article 23(3) of the Constitution.

Safaricom's Defense

Safaricom has strongly rejected the petition, calling it a clear misuse of court processes and urging the court to dismiss it entirely. The company argues that the same alleged breach is already the subject of multiple ongoing legal actions, including another constitutional petition, civil suits, and a criminal case.

Safaricom contends that filing multiple overlapping lawsuits on the same issue amounts to forum shopping and disrupts the fair administration of justice. It cites the case of Satya Bhama Gandhi v Director of Public Prosecutions & 3 Others to support its position that litigants should not pursue several legal avenues simultaneously in hopes of a favorable outcome.

The company also challenges the evidence presented, arguing that the subscribers have not proven their personal data was part of any breach. It states that the petitioners relied on general claims and M-Pesa transaction statements, which do not demonstrate that their specific data was accessed or shared.

Safaricom further disputes the existence of an 11.5 million subscriber dataset, noting that no admissible evidence has been produced to confirm such a dataset was ever assembled or transmitted.

A major point of disagreement involves the affidavit of Benedict Kabugi, which the petitioners rely upon. Safaricom argues this affidavit is inadmissible because it was attached as an annex rather than formally filed, and because Kabugi is neither a party to the case nor an independent witness. The company also notes that Kabugi is facing criminal charges related to the same alleged breach, calling his testimony self-serving and unreliable.

Regarding legal responsibility, Safaricom maintains that it cannot be held constitutionally liable for the criminal actions of former employees, as those actions fell outside their job duties and were done for personal profit. The company argues that employers are not vicariously liable for employees' personal criminal schemes unrelated to their official roles.