Vulnerability haunts over a million Kenyan Businesses, more could be at risk!

Over 1.1 Million Business Records Compromised at Kenyan Registry of Companies

Incident Overview

Kenya’s Business Registration Service (BRS) experienced a significant cyberattack on the night of 31 January 2025, resulting in a data breach that exposed sensitive information. According to BRS statistics, the compromised data includes details about company ownership, directorship, and beneficial ownership of over 1,111,450 companies both private and public registered since 2015. Analysis by key Kenyan media reports following the attack indicates that the state confirmed breach of the sole custodian of the country’s company registry, raises concerns about the security of sensitive individual and business information, highlighting weaknesses in the protection of critical personal and corporate data.

*Weak protection of critical personal and corporate data can lead to serious consequences for victims. (Adobe Firefly image by Afrensics Security)*

Cybersecurity Weaknesses?

Kenya’s Business Daily has said a little-known Moldovan business intelligence firm allegedly exploited a weakness in Kenya's government-owned Business Registration Service (BSR) to gain access to sensitive data of major shareholders in registered firms. The report, refuted by B2b Hint, says the firm accessed and subsequently offered for sale a substantial amount of sensitive data from over two million Kenyan companies. This data included personal details such as residential addresses, email addresses, and phone numbers of significant shareholders. The firm reportedly sold this information for as much as Sh24 million for a comprehensive package, with individual phone numbers priced as low as $0.015.

According to the same Business Daily report, B2bhint denied hacking the BRS system, attributing its access to a perceived weakness in the BRS's cybersecurity standards. The B2bhint denial regarding their involvement in the hacking of Kenya's Business Registration Service comes from statements made by the company, which were reported in news sources. B2bhint refuted the claim that they hacked into the BRS system, saying the data was accessed through public URLs that were not adequately protected, rather than through a direct breach or hacking. B2bhint representatives clarified that their access to the data was based on the public availability of information and not as a result of malicious hacking. The Moldovan firm the data was exposed due to the BRS's cybersecurity weaknesses, rather than any illegal breach on their part.

Response from Kenyan Authorities

BRS Director General Kenneth Gathuma confirmed the breach, emphasizing that the organization was strengthening its cybersecurity measures in response and that investigations were ongoing to understand the scope and prevent further incidents. The Ministry of Information, Communications, and the Digital Economy insisted that the data breach had been addressed.

What is at Stake?

Whether it was through hacking or cybersecurity weaknesses, the BRS breach on 31 January 2025 is notable for its scale. With sensitive data now exposed to the public domain raises concerns about its potential misuse. This could negatively impact investor confidence and erode trust in Kenya's regulatory systems. Restoring trust will require clear and transparent communication about the breach, its consequences, and the steps taken to address it.

Dark web sale of personal data — *The prospect of critical personal and corporate data on sale in the dark web is unsettling. (HackHunt image via YouTube)*

While some analysts have suggested the possibility dark web sale of the hacked personal data, the exposure of the data-rich BRS, could lead to identity theft, fraud, or targeted social engineering attacks, particularly as it contains information about both companies and beneficial owners of the companies.

How Do Affected Entities Protect Themselves?

Following this incident, both individual and corporate need to mitigate the consequences of identity theft and use of sensitive data to steal from them. Individual victims of personal identity theft, especially those whose information is at risk of being sold on the dark web, can take several steps to protect themselves:

Report identity theft: Immediately report the theft to relevant authorities, such as your local police, the National Data Commission, and any other relevant agencies to create a record of the crime and prevent further misuse of your information.
Monitor your bank account and credit card statements:
- Review your financial statements carefully for any unauthorized transactions.
- Immediately report any suspicious activity to your bank or credit card company.
- Regularly check for any unusual activity and consider subscribing to a monitoring service for real-time alerts.
Identity theft protection services: Many services monitor the use of your personal data on the dark web and provide assistance in recovering your identity. These services may also help in freezing your credit or notifying you of suspicious activity.
Secure your online accounts:
- Change passwords: Immediately change the passwords for all online accounts, especially those that store sensitive information, such as email, banking, and social media. Use strong, unique passwords for each account.
- Enable 2-factor authentication: For added security, enable 2FA on accounts where possible. This adds an extra layer of protection by requiring a second form of verification beyond just your password.

*Extra layer of MFA protection is reassuring (Omnidefend Image Source: Two-Factor Authentication (2FA))*

Policy Way Forward for the BRS and Similar State Agencies

The BRS breach highlights vulnerabilities in systems managing sensitive corporate and personal data. The breach has sparked demands for stronger cybersecurity protocols in both public and private sectors. Some effective strategies for addressing these vulnerabilities include:

Zero trust architecture: This approach ensures no implicit trust is granted to users or systems inside the network. The ZTA reduces reliance on perimeter security and emphasizes verifying each access attempt, regardless of the location of the user or device.
Encryption and multi-factor authentication: The implementation of these practices prevents unauthorized access even if credentials are compromised.
AI for threat detection: Tools that leverage machine learning algorithms to detect anomalous behavior can prevent threats in real-time.
Advanced intrusion prevention systems: These systems monitor and block potentially harmful activities before they breach a network.

Afrensics Security offers all these remedies . Click here to book an appointment with our professionals today.

Back to Blogs