News

2 Million Kenyan Business Records Leaked Online After Major Government Data Breach

Photo of Staff Writer Staff Writer Follow on X February 2, 2025
0 4 minutes read
2 Million Kenyan Business Records Leaked Online After Major Government Data Breach

You’re Advised to Change Your eCitizen Password. This follows a massive data breach affecting Kenya’s Business Registration Service (BRS), exposing sensitive details of approximately 2 million companies. The breach, which reportedly occurred on January 31, 2025, has left crucial corporate data – including personal information of company directors and beneficial owners – publicly accessible online. The stolen data is reportedly being sold on private websites, raising serious concerns about privacy, identity theft, and the broader implications for Kenya’s cybersecurity infrastructure.

What Happened?

According to multiple reports, the cyberattack targeted the BRS, an agency under the Attorney General’s office responsible for company registration. This system contains highly sensitive data on registered businesses, including:

Download LOOP App
  • Names of company directors and beneficial owners
  • Business registration details
  • Company financial records
  • Proprietor contact details

The breach came to public attention when users began reporting that corporate registration data was freely available on b2bhint.com, a platform that aggregates business registration records from various global sources. The website allows anyone to search for companies by name or registration number, exposing personally identifiable information (PII) in seconds.

If you visit b2bhint.com, you can search for any company registered in Kenya between 2015 and 2021, and you will find detailed information, including:

  • Company ownership structure
  • Share distribution
  • Names and details of directors and beneficial owners

In many cases, the data even includes sensitive personal identifiers like national ID numbers, contact information, and business affiliations, making it alarmingly easy to track individuals and their financial interests.

Social media users were quick to raise alarm, with some confirming that company data dating back to 1967 was now accessible. A viral post warned, “If you registered a company between 2015 and 2021 with BRS in Kenya, your data is being auctioned out there, and it’s very accurate. I just can’t believe what I’m seeing.”

BRS Responds but Leaves More Questions Than Answers

The Business Registration Service (BRS) issued an official statement acknowledging the reports and confirming that they had launched an internal investigation. The agency stated that they had activated their Incident Response Plan and were working with cybersecurity experts, law enforcement agencies, and regulators to assess the situation.

The BRS Director-General, Kenneth Gathuma, assured the public that the agency was taking urgent steps to contain the breach, but admitted that they were still verifying the full extent of the attack. “Once the investigation is complete, we will provide an update and directly engage with any affected parties,” Gathuma stated.

However, BRS did not explicitly confirm what data was leaked, how many individuals were affected, or whether the attackers demanded a ransom. They also did not explain how the breach occurred, leaving speculation open as to whether it was an internal leak or a coordinated external cyberattack.

Was This an Inside Job?

A report published by Nation Media Group cites sources close to the investigation suggesting that the attack could have been facilitated by an internal actor. One unnamed source told journalists, “We still can’t say who is behind the breach, but it looks like the intent is sabotage because the nature of the breach suggests an internal compromise.”

Additionally, cybersecurity analysts noted that the BRS online database had been taken offline, raising suspicions that either the attackers disabled the system or authorities shut it down to prevent further exposure.

Unlike ransomware attacks, where hackers encrypt data and demand payment for its release, this breach appears to involve direct data exfiltration, where stolen information is placed on the dark web and other public domains.

Government’s Silence and Public Outrage

Despite the severity of the breach, Kenya’s Office of the Data Protection Commissioner (ODPC) has yet to release an official statement. The lack of immediate government communication has fueled frustration, with critics calling for accountability and stricter data protection enforcement.

It is crazy seeing such a massive data leak, without any concerns from government, especially the ICT minister. Instead conversations in the tech space by government center on control and restrictions and switching off the internet.

Others have demanded answers on how this breach could happen under Kenya’s 2019 Data Protection Act, which requires strict safeguards for handling personal data. The law mandates organizations to notify affected parties when breaches occur – but so far, no individual or company has received direct notification from BRS.

What This Means for Businesses and Individuals

The BRS breach presents significant risks, including:

  • Identity theft: Cybercriminals could use leaked PII for fraudulent financial activities.
  • Corporate espionage: Competitors can access sensitive company ownership details.
  • Blackmail and extortion: Private business records could be exploited for illicit gain.
  • Phishing attacks: Scammers may use leaked emails and contact information for targeted fraud.

If you or your company is registered under BRS, you should:

  • Change your eCitizen password immediately
  • Monitor financial transactions and business dealings
  • Beware of unsolicited messages or phishing attempts
  • Consult legal or cybersecurity experts for risk mitigation

Bigger Picture: A Wake-Up Call for Kenya’s Cybersecurity

This is the largest government data breach in Kenya since the 2023 Kenya Airways cyberattack, which compromised passengers’ personal and financial data. The recurrence of such attacks raises serious questions about the government’s cybersecurity preparedness.

Kenya’s National Computer and Cybercrimes Coordination Committee (NC4) and Communications Authority are expected to conduct forensic investigations, but whether they will publicly disclose their findings remains uncertain.

As Kenya continues its push toward digital governance and eCitizen services, incidents like this demonstrate the urgent need for stronger cybersecurity policies, enforcement, and proactive risk management.

Discover more from Techish Kenya

Subscribe to get the latest posts sent to your email.

Tags
Photo of Staff Writer Staff Writer Follow on X February 2, 2025
0 4 minutes read
Photo of Staff Writer

Staff Writer

Techish focuses mostly on opinions on Tech, Business, Entrepreneurship and Startups. Reach out to us at any time mail@tech-ish.com if you have anything you want to have featured on the site.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Articles

Kenya’s push for social media regulation sparks debate on censorship, activism, free speech, tech accountability, and the future of digital freedoms.

Activism, Censorship & Regulation: A Discussion on the Future of Social Media in Kenya

January 31, 2025
Generative AI is fueling identity fraud in Africa, with deepfake attacks surging. Biometric verification, fintechs, and digital ID systems face growing threats.

Identity Fraud in Africa Reaches Crisis Levels: How AI is Fueling the Problem

January 31, 2025
The AI Advantage: IBM Study Reveals African CEOs' Strategy for Success What to Look Forward to in the New Decade

89% of IT Leaders Concerned About GenAI’s Impact on Cybersecurity, Sophos Survey Reveals

January 30, 2025
TikTok partners with Aleph Holdings for ad support and Wowzi for creator management, strengthening Kenya’s digital ecosystem and advertising landscape.

Aleph to Manage TikTok Ads in Kenya as Wowzi Takes Over Creator Partnerships

January 29, 2025
Back to top button