Kenyan government Business Registration Services reports cyberattack, data breach

The Business Registration Services (BRS), a Kenyan government organization responsible for managing sensitive company registration data, is reporting a data breach.

The cyberattack occurred on January 31, 2025. BRS executives spent February 1 in emergency meetings addressing the incident. The initial investigation suggests possible internal involvement, as the nature of the breach indicates insider knowledge. The organization's public database system is currently offline, though it's unclear whether this was a preventative measure or caused by the attackers.

The attack compromised sensitive information about private companies and their stakeholders, including:

• Company registration details
• Owner information
• Director details
• Beneficial owner records
• Potentially sensitive information about companies in financial distress

The number of affected organizatons and individuals and details about the attack are not disclosed. The stolen data is reportedly being sold on the dark web. The authorities have ruled out ransomware as no demands for payment have been made.

Update - as of 4th of February 2025, Kenya's Business Registration Service has blamed B2Bhint, a Moldovan business intelligence firm for the theft. They are reportedly selling sensitive data from approximately two million companies. B2Bhint has denied the allegations, claiming instead that they discovered publicly accessible Kenyan company data that shouldn't have been public, suggesting a potential security vulnerability. The company stated they have taken action and are awaiting BRS's response to help resolve the situation.

Under Kenyan data protection laws, BRS is required to assess the breach's extent and notify affected parties. BRS has acknowledged the data breach claims and are investigating.