Hello

Your subscription is almost coming to an end. Don’t miss out on the great content on Nation.Africa

Ready to continue your informative journey with us?

Hello

Your premium access has ended, but the best of Nation.Africa is still within reach. Renew now to unlock exclusive stories and in-depth features.

Reclaim your full access. Click below to renew.

Cyberattack on companies’ registry leaks private details in major data breach

A number of online services were unavailable for the better part of Thursday

Inadequate "cyber security hygiene" and awareness leave citizens vulnerable to attack.

Photo credit: Shutterstock

The Business Registration Services (BRS) has suffered a major data breach in a cyber-attack that has now left information of many private companies in the hands of the public.

A source close to the matter has confirmed the breach, saying that the organisation's executives were holed up in crisis meetings for most of Saturday, February 1 following the attack.

The attack is thought to have occurred on the night of Friday, January 31.

"We still can't say who is behind the breach, but it looks like the intent is sabotage because the nature of the breach looks like there was an internal actor," said the source, who spoke on condition of anonymity as he is not allowed to speak to the media.

When contacted for comment, BRS Director General Kenneth Gathuma said he was still unable to comment as he was in back-to-back meetings regarding the breach.

It is not yet clear who is behind the cyberattack or the total amount of data stolen, but there are confirmed reports that the data is being sold on the dark web (websites not indexed by search engines, mostly used for illegal activities, and often visited anonymously).

Data-rich

The BRS is one of the most data-rich organisations in government, holding information that many would prefer to keep private.

For example, the organisation holds data on all registered companies, their registered owners, beneficial owners and directors.

Normally, the BRS charges fees to release such data, but the breach means that even those who do not pay and leave their details with the agency can now access the information.

The online database through which the public can access such data is currently down and inaccessible, raising questions as to whether the attackers brought it down.

The Office of the Official Receiver, which is housed within the BRS, also keeps records of the number and details of companies in financial distress, data that may also have been stolen.

Under Kenya's data protection laws, once such a breach is confirmed, the affected organisation is expected to assess the extent of the damage and notify all affected parties while it works to contain the situation.

This is the first major data breach suffered by a government entity in over a year, following a cyber-attack on Kenya Airways in late 2023, which resulted in the loss of huge amounts of customer data.

The motive behind the attack on BRS is not yet clear, but sources say authorities have ruled out ransomware, where attackers demand payment for the stolen data before it can be restored.