Last Friday, B2BHint, a Moldavian company, infiltrated the government-owned Business Registration Service (BRS), the sole custodian of a list of all companies registered in Kenya. The business intelligence firm accessed – and put on sale – the data of over two million shareholders, including their phone numbers and residential addresses. B2Bhint also accessed the data of President William Ruto, former President Uhuru Kenyatta, and his family. 

This breach follows similar cybersecurity threats that continue to plague many public institutions in Kenya. In 2023, data from the Kenya Airports Authority was accessed and posted online after the agency was unable to pay the ransom requested by Medusa, a ransomware organisation. The eCitizen platform was also under a Distributed Denial of Service (DDoS) attack from Anonymous Sudan, a criminal hacker group. The DDoS attack did not breach the eCitizen platform, which gave Kenyans a short-lived feeling of safety until B2BHint struck. 

Most cyber threats in Kenya occur due to system vulnerabilities. The latest data shows that between July and September last year, the number of cyber threats stood at 657,843,715. Over 583 million of these cases were a result of system vulnerabilities. The Communications Authority of Kenya (CA) reports that Kenya lost about KSh10 billion to cybercrimes in 2023. 

Response to the breach

Kenya has no law mandating public access to ownership of companies. The information is only available if one visits the company registry and conducts a search. Therefore, the information leak led droves of Kenyans to B2Bhint’s website, which held the goldmine of data.  

Shortly after the breach, BRS and other government agencies issued statements about the leak. Kenneth Gathuma, the Director General of BSR, said investigations are already underway. “Our cyber security experts are working closely with our cybersecurity partner, law enforcement, and investigative agencies to assess the scope of the incident, determine any potential impact, and implement necessary containment and mitigation measures. Once the investigation is complete, we will provide an update and directly engage with any affected parties.”

The government said that it has assembled a multi-agency team to investigate and prevent access to sensitive data. To ward off attacks, it also warned businesses to update security software and cybersecurity measures. In a notice, Cabinet Secretary for ICT William Kabogo said, “We encourage the public to verify the authenticity of websites and emails to avoid falling victim to phishing attacks. Regularly backup important data to secure locations.” 

However, the most important information came from B2bHint, which posted the following tweet on X.com early this week.

Source: x.com

According to information later published in the dailies, B2BHint took advantage of a vulnerability on the BRS website to access data related to the registered companies. The breach sent online users sleuthing, with many searching for data related to people suspected of corruption. Those who came across ownership information related to the president and his family members posted it online. This shows how security threats can quickly evolve into national security threats, compromising the lives of people whose information should be protected from public disclosure.

Source: x.com

B2Bhint has since deleted the data from Kenya and stated that it has been working with government agencies, as it later posted on X.com. Attempts to visit the pages where the Kenyan data was posted bring up the following page, indicating that B2BHint needs to comply with Kenyan laws.

Source: X.com

Kenya’s weak cybersecurity

The leak brought to the fore the same concerns that previous breaches and attacks raised: Cybersecurity in Kenya, especially that relating to government data, is weak and can easily be accessed. The National KE-CIRT/CC, which coordinates response to cyber security matters, did not issue an advisory on this breach, though it normally publishes other alerts. Meanwhile, citizens have been registering their concerns online about the leak, as shown below.

Source: x.com

Cybersecurity is of utmost importance, and Kenya needs to take it seriously. It needs to invest in the necessary infrastructure and personnel to prevent the further spread of personal/private data, as happened in this case.