November 14, 2025 • Ian Makambu

Kenya's digital economy stands at a critical inflexion point, largely due to cloud technology. While only 24.2% of SME's are actively using cloud computing, the technology is projected to contribute almost KSh 1.4 trillion by 2033. Amidst this uptake are the increasingly unprecedented data breaches, which erode customer trust while creating regulatory liabilities.

In April 2025, Gmail suffered a credential theft incident that affected 183 million users worldwide. Just last month (October 2025), the M-TIBA health platform was catastrophically hit with 4.8 million Kenyans' medical records allegedly exposed.

The truth is that every organisation, regardless of its size, certification status, or otherwise, can still be breached.

In this article, Ian Makambu explores the persistent gap between what organisations declare about data protection and what is actually implemented. The gap is not accidental. Instead, it reflects the systematic failure of companies to internalise data protection as an operational imperative, with many still approaching it as a compliance checkbox.

2024-2025 Cloud & Kenya Data Breaches

Minimize image

Edit image

Delete image

In addition to the global cloud breaches affecting Google and Microsoft in 2024 and 2025, as shown in the graph above, there have been local breaches that demonstrate that security certification does not always guarantee operational security. Let us consider the case of M-TIBA to illustrate this clearly.

M-TIBA Health Platform Breach

The M-TIBA breach is easily Kenya's most devastating data incident since Data Protection (2019) took effect. A threat actor, known as "Kazu," reportedly advertised more than 2.15 terabytes of databases allegedly sourced from M-TIBA.

The compromised data allegedly includes:-

1. Full names, National ID numbers, Phone Numbers, and Dates of Birth for 4.8 million individuals.

2. Detailed patient medical records, diagnoses, and clinical notes.

3. Financial records, including billing history and payment transactions.

4. Health Facility Information.

The hacker went ahead and promised a sample 2GB file as proof of the breach. If verified, this represents a deliberate theft and attempted monetisation of Kenyans' health data, both personally identifiable information and protected health information.

The Credibility Question

To determine whether the breach is an allegation or a credible threat, let us consider M-TIBA's response pattern.

M-TIBA, which is operated by CarePay, received its ISO/IEC 27001:2022 certification in August 2025. Therefore, two months prior to this catastrophic incident, the platform declared that it had complied with the Information Security Management standards.

The pattern illustrated by this unfortunate attack is that

A certification will only validate that an organization has documentation, policies, and controls, but in theory. There is no proven guarantee or assurance that the control functions are enforced to protect against actual breaches.

As of November 2025, there has been no confirmation from M-TIBA. ODPC has only issued confirmation of the threat with no reassurance following stakeholder consultation.

Data Protection Risk and Governance Gap

Most organisations in Kenya have superficial data protection measures. The following are the most familiar:-

1. Privacy Policy- Incomprehensible policies are often published in English on websites.

2. Data Protection Officer - Organisations often assign this role to overworked HR staff or Legal Officers who lack security training.

3. ISO 27001 Certifications- Numerous certifications, including Data Controller and Data Processor, indicating documented controls without verifiable operational implementation.

Simultaneously, the same organisation will operate with:

• Unencrypted personal data in cloud storage.

• No audit logging of data access.

• No incident response procedures.

• Inadequate or completely absent employee training on data handling obligations.

• Lack of vendor security assessments, where the assumption is that all cloud providers handle security responsibly.

Our Data Protection experts at South-End Tech Ltd propose the Five-Component Governance Blueprint

Minimize image

Edit image

Delete image

In contrast to generic frameworks, Kenyan organisations require scaled and practical approaches that address specific constraints.

1. Data Classification and Inventory- Organisations cannot protect data they do not understand. Data classification establishes what information exists, where it resides, and what protection level it requires.

2. Lawful Basis and Consent- Organisations must have a lawful basis for each category of data processing. Simply stating "we collect data because our business needs it" violates the law.

3. Privacy Impact Assessments - Before implementing new cloud services, data processing activities, or system changes, organisations must assess the privacy risks associated with these initiatives.

4. Roles and Accountability- Data protection cannot succeed if responsibility is unclear. Organisations must define who is accountable for each data governance function.

5. Monitoring & Audit Trails - Governance frameworks are only meaningful if they produce verifiable evidence of compliance and enable the detection of breaches.

Why Partner with South-End Tech Ltd

South-End Tech transforms business practices by embedding privacy and governance into daily operations through its Five-Component Data Governance Framework and Data Protection Officer (DPO) as a Service model.

Our approach empowers organisations to move beyond compliance and build trust, operational efficiency, and digital resilience through the following components:

1. Data Classification and Inventory – We help organisations identify and categorise their data, understand where it resides, and determine the appropriate protection level, ensuring effective risk management.

2. Lawful Basis and Consent Management – We ensure all data processing activities align with the Data Protection Act, 2019, establishing clear lawful bases and transparent, auditable consent mechanisms that build stakeholder confidence.

3. Privacy Impact Assessments (PIAs) – Before introducing new systems or services, we conduct PIAs to identify potential risks and embed privacy by design into business processes.

4. Roles and Accountability – We define clear data protection responsibilities and provide outsourced DPOs who act as strategic advisors to management and staff, strengthening organisational accountability.

5. Monitoring and Audit Trails – We implement monitoring tools and audit systems that provide verifiable evidence of compliance, enhance transparency, and detect breaches early.

Through this integrated framework, South-End Tech enables organisations to transform compliance into a strategic advantage and safeguard their digital future.

Reach us through info@southendtech.co.ke and dataprotection@southendtech.co.ke

Comments (0)