The Business Registration Service (BRS) in Kenya is currently dealing with a significant data breach that happened on January 31 and exposed private data about businesses and their owners nationwide. One of the immediate consequences of the breach is the sale of stolen data on the dark web.

Kenneth Gathuma, the Director General of BRS, confirmed the incident on Sunday, stating that the organisation had activated its Incident Response Plan. However, the public database has been temporarily taken offline, though it remains unclear whether this action was preventive or a direct result of the cyberattack.

Read also: Nigerian hackers breach UnitedHealthcare database to steal 120 million Americans’ private data

Companies private information at risk 

As one of Kenya’s most data-rich government agencies, the breach has raised serious concerns.

The compromised database contains comprehensive data about registered businesses, their directors, owners, and beneficial owners—information that is normally only accessible with a fee.

Sensitive documents from the Office of the Official Receiver, which keeps data on businesses experiencing financial difficulties, may also be compromised.

Ransomware ruled out

Investigators have ruled out ransomware as a motive, in contrast to earlier cyberattacks on Kenyan institutions.

Read also: Hackers stole $17 million from Bank of Uganda, incident under investigation

This is the first significant government data leak in Kenya since the late 2023 cyberattack on Kenya Airways.

Kenya’s data protection regulations now require BRS to evaluate the harm and inform those impacted.

BRS has committed to openness during the investigation and is collaborating with law enforcement, cybersecurity professionals, and investigative organisations to limit and lessen the impact of the intrusion.