A major data breach at Kenya’s Business Registration Service (BRS) has exposed sensitive information of significant shareholders, including national ID numbers, phone contacts, and residential addresses.
The cyberattack, which reportedly occurred on January 31, has led to stolen data being sold on the dark web, with some files dating back to 1967.
In a statement on Sunday, February 2, the agency said it has launched an investigation into the matter, and assured stakeholders that immediate action was taken to assess and mitigate any risks.
"The Business Registration Service (BRS) is aware of reports regarding a potential data breach affecting the company registry’s information. Upon receiving this information, we immediately activated our Incident Response Plan, launched a comprehensive investigation, and notified the relevant regulatory authorities," a statement signed by BRS Director General Kenneth Gathuma read.
BRS noted that its cybersecurity experts are working closely with law enforcement and investigative agencies to determine the scope of the incident.
Additionally, the agency said that the nature and extent of any compromised data are still being verified.
"Our cybersecurity experts are working closely with our cybersecurity partner, law enforcement, and investigative agencies to assess the scope of the incident, determine any potential impact, and implement necessary containment and mitigation measures.
"At this stage, we are still verifying the details of the alleged breach, including the nature and extent of any compromised data. Once the investigation is complete, we will provide an update and directly engage with any affected parties," the statement added.
The breach follows a recent legal requirement for companies to disclose beneficial owners, with penalties of up to Ksh500,000 for non-compliance.
Small businesses in Kenya face fines of Sh500,000 plus daily penalties of Sh50,000 and potential loss of banking services if they fail to comply with new anti-money laundering rules effective since November 2024.
Banks are requiring MSMEs to disclose beneficial owners' details and financial accounts as part of enhanced customer due diligence measures.
The regulations, affecting nearly 7.4 million MSMEs, require businesses to provide personal information including names, addresses, PINs, and proof of residence, though firms with annual sales below Sh50 million are exempt from providing audited accounts.
The measures follow Kenya's placement on the FATF's grey list and aim to prevent money laundering schemes like the 2015 NYS scandal, where banks were fined Sh800 million for failing to report suspicious transactions.
While the Kenya Bankers Association notes requirements apply only to registered businesses, the rules have raised concerns about tax implications and government access to financial information.