Kenya’s Business Registration Service (BRS) is grappling with a major data breach that occurred on January 31, exposing sensitive information about companies and their owners across the country. The breach has already had real consequences, with stolen data reportedly being sold on the dark web.
BRS Director General Kenneth Gathuma confirmed the incident today, announcing that the agency had activated its Incident Response Plan. The organization’s public database is currently offline, though it’s unclear whether this was caused by the attackers or implemented as a precautionary measure.
The breach is very concerning given BRS’s role as one of Kenya’s most data-rich government organizations. The compromised database includes detailed information about registered companies, their owners, directors, and beneficial owners – data that typically requires paid access to obtain. The breach may also affect sensitive records from the Office of the Official Receiver, which maintains information about companies in financial distress.
Sources familiar with the matter suggest potential insider involvement, stating that “the nature of the breach looks like there was an internal actor.” Unlike previous cyber attacks on Kenyan institutions, investigators have ruled out ransomware as a motive.
The attack is Kenya’s first major government data breach since the Kenya Airways cyber attack in late 2023. Under Kenya’s data protection laws, BRS must now assess the damage and notify affected parties.
BRS has promised transparency throughout the investigation and is working with cybersecurity experts, law enforcement, and investigative agencies to contain and mitigate the breach’s impact.