On the 1st of February 2025, links were shared on social media to a website, run by a Moldovan business intelligence firm named B2BHint, where you could see data about companies all over the world, including data from Kenya’s Business Registration Service (BRS). Of interest to Kenyans was seeing how many companies prominent people in Kenya, such as the President and his family, were shareholders or directors in. I checked the data for companies and people that I know and as far as I could tell, it was accurate.
The website offers subscription services to access full details for specific numbers of companies.
Kenya’s BRS issued a statement on the 2nd of February, saying there was a potential data breach of its systems. Reports said the breach was likely to have happened on 31st January. The government formed a team to investigate the matter, safeguard the systems and prevent any further data exfiltration.
On the 3rd of February, B2BHint posted on X that the Kenyan company data was available on public URLs and they had discovered it was not meant to be public.
A few days later, Information, Communications and the Digital Economy, Cabinet Secretary (CS), William Kabogo said that the data breach had been resolved. “The Ministry confirms that the unauthorised publication of information has been fully removed and permanently erased.”
Later, there were reports that B2BHint had retracted the information about Kenya from its website to avoid legal liability. The report also said that the firm said that neither the BRS nor any law enforcement agency in Kenya had reached out to them.
A number of things are interesting.
First is the question of whether or not there was a breach in the sense of an attack by an external party. B2BHint suggested that it obtained the data through publicly accessible URLs.
Second is the question of whether or not company registration data is sensitive information. When the link to the website was shared on X, some people said that company registration information was public information. Also, when the process of impeaching the then Deputy President of Kenya began, the documents presented included lists of companies owned or directed by members of his family. There was no complaint, as far as I know, that the obtaining or publishing of this information was a breach of privacy.
Third, if there was indeed a breach, there is no way it took place on 31st January as suggested. The data available on the website on 1st February was not just raw, plain text files or spreadsheets. It was data already integrated into the website. Obtaining the data and incorporating it into the website must have taken way more than a day or two.
Fourth, it is interesting that the government said it was investigating the alleged breach, yet B2BHint, who published the information, claimed that at least three days later, no one from BRS had talked to them. Could this perhaps be because there was no breach and therefore really nothing to discuss? It seems that in response to the reaction by Kenyans, B2BHint decided to be cautious and retracted the Kenyan data. As of 14th February, data from other countries is available online on the website.