A major data breach has reportedly hit the Safaricom-backed M-TIBA platform, threatening the privacy of millions of Kenyan users. A hacker group calling itself “Kazu” claims to have stolen more than 2 terabytes of sensitive health and personal data from the mobile health wallet service.
The incident, which may have compromised up to 4.8 million users, has sparked widespread concern about data protection, transparency, and the growing vulnerability of Kenya’s digital health systems.
Early investigations suggest that the hackers accessed personal details, including national ID numbers, phone contacts, billing sheets, and even medical diagnoses.
Safaricom Faces Scrutiny Over Massive M-Tiba Data Breach and Delayed Disclosure
According to information shared online, the hacking group “Kazu” claims to have exfiltrated over 17 million files from M-TIBA servers. These files reportedly contain full names, national identification numbers, dates of birth, contact details, and confidential medical records linked to over 700 health facilities nationwide.
To substantiate its claims, the group released a 2GB sample of the stolen data on Telegram, showing patient records, scanned documents, and billing sheets. The sample appears to include information for at least 114,000 users, though the hackers claim the total number could exceed 4.8 million.
If confirmed, this would mark one of the largest data breaches in Kenya’s history, surpassing earlier cyber incidents involving financial and government databases.
| Data Type | Description of Compromised Information |
|---|---|
| Personal Information | Full names, phone numbers, national ID numbers, and dates of birth |
| Medical Records | Diagnoses, treatment notes, scanned documents, and prescriptions |
| Financial Data | Billing information and health insurance claims |
| Facilities Affected | Over 700 hospitals and clinics nationwide |
Response and Ongoing Investigation
CarePay, the Dutch-based company that operates M-TIBA in partnership with Safaricom and PharmAccess Foundation, has acknowledged awareness of the situation but stopped short of confirming the full extent of the breach. The company stated it is “actively investigating” the claims and working with cybersecurity experts to determine if data was indeed stolen.
The Office of the Data Protection Commissioner (ODPC) issued a statement on October 29, confirming that it is monitoring the situation closely. Under the Data Protection Act, 2019, any organization that experiences a data breach must report it to the ODPC within 72 hours.
However, observers have questioned why M-TIBA has not yet issued a formal public disclosure or notified affected users. The delay raises concerns about transparency and whether the platform is complying with Kenyan data protection regulations.
The ODPC noted that it is in active discussions with CarePay and other relevant entities to establish “the exact nature and scope” of the reported breach and ensure appropriate remedial actions are taken.
Risks and Implications for M-Tiba Users
Experts warn that the M-Tiba data breach could have long-term consequences for millions of Kenyans who rely on the platform for managing health insurance and accessing care. Stolen personal and medical data could be exploited for identity theft, phishing scams, and medical fraud.
Cybersecurity analyst Kevin Odhiambo said, “Once medical data is leaked, it’s almost impossible to retrieve or contain. Criminals can sell it, use it to impersonate victims, or manipulate health records for financial gain.”
The breach also exposes the fragility of Kenya’s digital health infrastructure, which has rapidly expanded over the past decade but still lacks robust cybersecurity frameworks.
CarePay’s privacy policy emphasizes that it handles user data “carefully and securely,” but also notes that “no system is impenetrable.” The current situation, however, puts that assurance under intense scrutiny.
For now, users are being urged to:
- Change passwords linked to their M-TIBA accounts.
- Avoid clicking on suspicious links or sharing personal details through unofficial channels.
- Monitor their medical and financial accounts for unusual activity.
- Request clarification from M-TIBA about whether their records are among those compromised.
If confirmed, the M-Tiba breach could reshape Kenya’s approach to data governance and digital health security, prompting tighter enforcement by the ODPC and renewed public debate about how corporations handle sensitive health information.
What M-Tiba Data Breach Means
The M-Tiba data breach serves as a harsh reminder that digital convenience comes with serious risks. While Kenya has made impressive strides in health technology and mobile innovation, cybersecurity remains a weak link.
If 2.15 terabytes of medical data have indeed been stolen, the fallout could be immense—from loss of public trust to potential lawsuits and regulatory penalties. As investigations continue, millions of Kenyans wait anxiously for answers—and assurances that their most private information is safe.
