
It is not yet clear who is behind the data breach at the State-owned Business Registration Services or the total amount of data stolen.
A trove of secret and sensitive data of significant shareholders in registered firms such as national ID, residential address, and telephone numbers could be offered for sale online after a data breach at the State-owned Business Registration Services (BRS).
The cyber-attack and theft of the data is said to have occurred on the night of Friday, January 31, with personal data pushed on the dark web.
"We still can't say who is behind the breach, but it looks like the intent is sabotage because the nature of the breach looks like there was an internal actor," said a source, who spoke on condition of anonymity as he is not authorised to issue Press statements.
The cyber-attack comes weeks after the lapse of the December 1 deadline that required registered companies to disclose the names, phone numbers, and residential addresses of owners who hold more than 10 percent stakes through secret accounts to BRS.
The details required included name of the substantial shareholder, Kenya Revenue Authority (KRA) PIN, National ID or passport number, postal address, residential address, occupation, telephone number, and the date when the investor became a beneficial owner.
The law bars companies and BRS from making public the personal details of the beneficial owners, but opens the window for the KRA, security agencies and the Financial Reporting Centre to tap the information.
On Sunday, BRS — the sole custodian of a list of all companies and shareholder information — said it was reviewing the extent of the breach.
“Our cyber security experts are working closely with our cyber security partner, law enforcement and investigative agencies to assess the scope of the incident,” said BRS Director-General Kenneth Gathuma in a statement.
“We are still verifying the details of the alleged breach, including the nature and extent of the compromised data.”
It is not yet clear who is behind the cyberattack or the total amount of data stolen, but there are confirmed reports that the data is being sold on the dark web— websites not indexed by search engines, mostly used for illegal activities, and often visited anonymously.
On Sunday, the Nation confirmed that some of the leaked files were being auctioned on a site known as b2bhint.com, with authoritative sources saying some sellers have data on Kenyan companies dating all the way back to 1967.
The BRS is one of the most data-rich organisations in government, holding the information that many would prefer to keep private. For example, the organisation holds data on all registered companies, their registered owners, beneficial owners and directors.
The Office of the Official Receiver, which is housed within the BRS, also keeps records of the number and details of companies in financial distress, data that may also have been stolen.
Under Kenya's data protection laws, once such a breach is confirmed, the affected organisation is expected to assess the extent of the damage and notify all affected parties while it works to contain the situation.
This is the first major data breach suffered by a government entity in over a year, following a cyber-attack on Kenya Airways in late 2023, which resulted in the loss of huge amounts of customer data.
The motive behind the attack on BRS is not yet clear, but sources say authorities have ruled out ransomware, where attackers demand payment for the stolen data before it can be restored.
Registered companies had up to November 30 to disclose the secret shareholders by or risk deregistration.
Most high-net-worth shareholders at the NSE hold shares through nominee accounts, with the list of top 10 shareholders in a majority of blue chip firms dominated by anonymous investors.
Failure to comply with the requirement to disclose an entity’s beneficial ownership attracts a penalty of Sh500,000 after the November 30, 2024 deadline while a further offence each day the failure continues attracts a fine up to Sh50,000.
Entities must also disclose changes to beneficial ownership information to the registrar within 14 days or face an administrative fine of Sh2,000.
The requirement for filing beneficial ownership information seeks to cover risks of the entities being misused to facilitate criminal activity such as corruption, money laundering, financing of terrorism and the proliferation of tax evasion.
The government is relying on the disclosures to enhance the transparency of beneficial ownership in public procurement.