A major data breach has rocked Kenya’s Business Registration Services (BRS), leaving (at first glance), all of Kenyans’ of private company details public.
Initial reports suggest the breach occurred or was discovered on Friday night, January 31, and has since forced senior officials into round-the-clock crisis meetings.
“We still can’t say who is behind the breach, but it looks like the intent is sabotage because the nature of the breach looks like there was an internal actor,” an anonymous source told Nation.
The incident has led to the sale of stolen data on the dark web, a hidden online space often used for illicit activity. BRS, known for holding large volumes of sensitive information—from beneficial owners to directors—now faces the challenge of determining exactly how much data was compromised.
It is possible to conduct a company search, and that has been a revenue source for the government. With this breach, all records can be accessed freely. On top of that, information that should be private, like the number of companies associated with an individual, and now public for all to see.
Kenya’s data protection laws require any affected organization to assess the extent of the damage and notify individuals whose information may have been compromised. The BRS would be expected to comply with these regulations while attempting to halt further fallout.
This is the first large-scale data breach to hit a Kenyan government institution in over a year, following a 2023 cyberattack on Kenya Airways.
