A data breach is any security incident in which unauthorized parties gain access to sensitive data or confidential information, including personal data (ID numbers, bank account numbers, healthcare data) or corporate data (customer data records, intellectual property, financial information).

How data breaches occur

The following are ways data breaches may occur:

•         Through an Accidental Insider. An example would be an employee using a co-worker’s computer and reading files without having the proper authorization permissions. The access is unintentional, and no information is shared. However, because it was viewed by an unauthorized person, the data is considered breached.
•         Through a Malicious Insider. This person purposely accesses and/or shares data with the intent of causing harm to an individual or company. The malicious insider may have legitimate authorization to use the data, but the intent is to use the information in nefarious ways.
•         Lost or Stolen Devices. An unencrypted and unlocked laptop or external hard drive, anything that contains sensitive information, goes missing.
•         Malicious Outside Criminals. These are hackers who use various attack vectors to gather information from a network or an individual.

Cases of data breaches in Kenya

Kenya Airports Authority had its network breached in a cyberattack by a notorious group called Medusa. The hack happened in February 2023. According to NTV, the cyberattack had no ‘significant’ operational and financial impact, with security enhancements implemented to ensure that data stored on affected systems are secure. However, the attack affected KAA website for a number of days and the attackers released 514 GB of data. This data included procurement plans, physical plans, site surveys, invoices and receipts.

On 23rd April 2023, Naivas supermarket chain announced that it had been the victim of a ransomware attack by an online criminal organisation. Naivas also admitted that it may have compromised some of their data. Naivas emphasized that on becoming aware of the attack, they took immediate steps to prevent external access and engaged leading cybersecurity experts, CrowdStrike, to ensure system integrity. They assured Kenyans that the process was completed and their systems were secure.

What to do if your organisation’s data is breached

The Data Protection Act requires that once a data breach occurs, it should be reported to the Data Commissioner. If you are a data controller you should report the breach to the Data Commissioner within 72 hours of becoming aware of the breach. On the other hand, if you are a data processor, you report the breach to the data controller within 48 hours of becoming aware of the breach. In some cases, you may also need to notify the impacted individuals.

Apart from notification, you should also take remedial measures to mitigate the effects of the breach and to prevent future recurrence of the breach.

How to prevent a data breach

According to the Data Protection Act and regulations, the data controller or data processor is required to develop, publish and regularly update a policy reflecting their personal data handling practices. The policy may include:

1.       The nature of personal data collected and held;
2.       How a data subject may access their personal data and exercise their rights with respect to that personal data;
3.       Complaints handling mechanisms;
4.       The lawful purpose for processing personal data;
5. Obligations or requirements where personal data is to be transferred outside the country, to third parties, or other data controllers or data processors located outside Kenya and where possible, specify such recipients;
6.       The retention period and schedule; and
7.       The collection of personal data from children, and the criteria to be applied.

The Regulations provide for specific obligations to the data controller and data processor. These obligations arise due to the data protection principles of integrity, confidentiality, and availability. These obligations include:

1.       Having an operative means of managing policies and procedures for information security;
2. Assessing the risks against the security of personal data and putting in place measures to counter identified risks;
3.       Processing that is robust to withstand changes, regulatory demands, incidents, and cyber-attacks;
4.     Ensuring only authorised personnel have access to the data necessary for their processing tasks;
5.       Securing transfers shall be secured against unauthorised access and changes;
6.       Securing data storage from use, unauthorised access, and alterations;
7.     Keeping back-ups and logs to the extent necessary for information security;
8.     Using audit trails and event monitoring as a routine security control;
9.     Protecting sensitive personal data with adequate measures and, where possible, kept separate from the rest of the personal data;
10.         Having in place routines and procedures to detect, handle, report, and learn from data breaches; and
11.     Regularly reviewing and testing software to uncover vulnerabilities in the systems supporting the processing.