A significant data breach at the State-owned Business Registration Service (BRS) has compromised sensitive personal details of shareholders in Kenyan companies, with this information now being sold on the dark web.
The breach, which occurred on the night of January 31, 2025, has resulted in the exposure of national ID numbers, addresses, phone numbers, and other confidential data. The stolen information, spanning decades—including records dating back to 1967—has reportedly surfaced on http://b2bhint.com, where it is allegedly being auctioned to the highest bidder.
Potential Inside Job Raises Security Concerns
Cybersecurity experts believe that the nature of the attack suggests potential internal involvement, heightening concerns about the security of government-held data. Although the identity of the perpetrators remains unknown, the incident has sparked urgent discussions about data protection and digital security in Kenya’s public institutions.
BRS, which manages a comprehensive database of businesses and shareholders, has confirmed that they are working with law enforcement agencies and cybersecurity specialists to assess the extent of the breach and mitigate further risks.
Implications for Business Transparency and Data Privacy
This breach comes at a time when Kenya is enforcing stricter transparency laws that require businesses to disclose their beneficial owners. While these regulations aim to combat corruption and financial fraud, the breach has raised concerns over the vulnerability of sensitive personal and corporate data.
The extent of the damage remains unclear, with BRS yet to confirm the number of affected individuals and companies. However, the compromised data could have far-reaching consequences, including risks of identity theft, fraud, corruption, and money laundering.
What Happens Next?
BRS has launched an investigation to determine the full scope of the breach and how it was orchestrated. Authorities are also looking into enhancing cybersecurity measures to prevent future breaches. Meanwhile, affected businesses and individuals are being advised to take precautionary measures to protect their financial and personal information.
With the increasing digitisation of government services, this incident underscores the urgent need for robust cybersecurity policies and enhanced data protection laws to safeguard citizens’ private information.