Safaricom hit by SIM swap fraud class-action suit
A Safaricom outlet on Kimathi Street in Nairobi. Safaricom Plc is facing a landmark class action suit that could expose it to runaway claims by Sim fraud victims.
What you need to know:
- The telco is also staring at the grim probability of being ordered to pay damages to victims of online fraud conducted through its subscriber identity module (Sim) cards, systems or networks.
- The risk of illegal swapping of Sim cards extends to financial institutions, as fraudsters get unfettered access to bank accounts and mobile loan platforms.
- In the suit filed by Mr Abdi Zeila at the High Court in Milimani, Nairobi, Safaricom is being accused of failing to ensure that the registration details of subscribers are secure and confidential.
Regional telecommunication giant Safaricom Plc is facing a landmark class action suit that could expose it to runaway claims by Sim fraud victims.
The telco is also staring at the grim probability of being ordered to pay damages to victims of online fraud conducted through its subscriber identity module (Sim) cards, systems or networks.
The risk of illegal swapping of Sim cards extends to financial institutions, as fraudsters get unfettered access to bank accounts and mobile loan platforms.
In the suit filed by Mr Abdi Zeila at the High Court in Milimani, Nairobi, Safaricom is being accused of failing to ensure that the registration details of subscribers are secure and confidential.
Safaricom is further accused of failing in its obligation to ensure that personal registration details are not disclosed to third parties without the written consent of the subscriber.
Mr Zeila has received the court’s nod to invite other Safaricom subscribers in the class-action suit for injuries and financial losses caused by Sim swap activities on M-Pesa and mobile money platforms.
The Communication Authority of Kenya (CA) is also listed as a defendant for allegedly overseeing violations of the rights of subscribers and exposing them to fraudsters.
Mr Zeila says in court papers that, on March 28, his Safaricom-registered Sim card was cloned without his authorisation and a total of Sh495,651 was withdrawn from his NCBA Bank account and M-Pesa wallet.
The fraudsters, he further states, also took money from his mobile loan wallets at NCBA bank, M-Pesa, KCB M-Pesa and Safaricom Fuliza.
As a result of the fraud, Mr Zeila says he lost Sh373,000, which was withdrawn from his NCBA Bank account.
Mobile banking loan
The fraudster is said to have also applied for and obtained a Sh66,640 mobile banking loan from NCBA Bank before proceeding to withdraw the money.
In addition, the fraudster reportedly obtained mobile loans from other institutions, including Sh24,000 from Mr Zeila’s M-shwari loan account, Sh20,000 from his KCB mobile loan account and a Sh12,000 M-Pesa overdraft through the Fuliza credit service.
The complainant explains that, at the time of the unauthorised Sim swap, his mobile phone was on a roaming network outside Kenya.
He says Safaricom, being the provider of the roaming network he was using, was aware or reasonably ought to have been aware that he could not have been in a position to carry out a Sim swap as he was out of the country.
Mr Zeila adds that he returned to the country on March 30 through the border town of Namanga, only to discover that his Safaricom number was not functional and that his accounts had been drained.
He reported the matter to the police and a Safaricom centre at Galleria Mall in Nairobi.
“Several months later, I have neither received feedback nor a refund of my lost funds. I am apprehensive that Safaricom does not intend to. I hold Safaricom solely liable for the loss I incurred. I am aware that there have been various newspaper reports of Sim swap fraud on the Safaricom network, especially after my experience,” he says.
Mr Zeila says Safaricom has consistently conducted public campaigns regarding Sim card registration or replacement, adding that a major condition for Sim card replacement or registration is for a subscriber to physically present themselves to an agent or at the telco’s customer care centres.
One is also required to produce their original national identification card to have their Sim card replaced or registered.
ID documents
Mr Zeila further states that at the time his Sim card was swapped, he had his original national identification card and original passport. He, therefore, claims the fraud must have been done without the use of his physical identification documents.
“Only Safaricom can explain and take responsibility for the unauthorised Sim swap registration that occurred on his account… Safaricom had sole responsibility for carrying out know-your-customer (KYC) steps and verification prior to authorising the Sim swap,” says Mr Zeila.
He says Safaricom had his identification details since, at the time of buying and registering his Sim card, he presented himself to a Safaricom outlet, where his details, including his original national identification card and actual passport photo, were taken for purposes of identification and registration of the new line.
“I was under the impression that, with such watertight registration, my Sim card would be secure and my data would not be handled in a manner that would expose me to harm,” states Mr Zeila.
He continues: “I am aware that a Sim swap is not possible unless someone has access to the Safaricom system and the targeted subscriber’s personal data, which are required for purposes of effecting sim registration.”
He argues CA has failed in its regulatory and supervisory duties to ensure that Safaricom provides secure and reliable telecommunication services.
He says CA has “superintended persistent and unforgivable violations and causation of injuries by Safaricom to him (and members of the class)”.
Under Section 27C of the Kenya Information and Communication Act, Mr Zeila says, a subscriber cannot be held liable if they can prove they were not in control of the Sim card at the time a particular activity or transaction was carried out.
The responsibility, he argues, rests with the service provider and the regulator; Safaricom and CA respectively in this case.
He further says that he was exposed to online fraudsters and subsequently suffered the loss despite adhering to the safety measures and policies published by Safaricom on its website. Mr Zeila believes that he suffered the loss as a result of Safaricom’s own breach of duty of care.
He wants Safaricom and CA held liable and be ordered to pay for the financial losses incurred by him and other members of the class.
Personal data
In addition, he is seeking a declaration that Safaricom failed to securely process and control his personal data and that of his co-victims of Sim swap.
He further wants the court to declare that CA failed to exercise its regulatory mandate in a diligent manner and failed to hold Safaricom to its licence conditions. By this failure, he says, CA caused mobile phone subscribers financial losses. He filed the suit through CNK Advocates LLP and ALP Kenya Advocates.
In its 2022 sustainability report, Safaricom reported that it sacked a total of 24 staff for fraud in the year to March.
While the number of fraud cases investigated by the company reduced from 36 to 27, however, cases particularly touching on Sim swap constituted the bulk of those investigated during the year.
Safaricom further stated that, of the 27 cases investigated during the year, 10 were related to Sim swap, up from the four such cases that were investigated the previous year.
“We continued to conduct training for staff through fraud awareness sessions, together with fraud training for our M-Pesa agents, dealers and suppliers. We also continued to help customers safeguard themselves from fraud by educating them on how to protect themselves on the network by safeguarding and protecting their data and sensitive information,” the company said in the report, while committing to continue prioritising fraud management and data privacy in its operations.
