Business Registration Service data breach
Attackers exfiltrated Kenya's national company-registry data from the Business Registration Service — including ownership and beneficial-owner records touching President Ruto and the Kenyatta family's firms — and offered it for sale on the dark web.
- Victim
- Business Registration Service (BRS)
On the night of 31 January 2025, Kenya's Business Registration Service (BRS) — the agency that maintains the national company registry — was breached, and its data was put up for sale on the dark web within days. Because BRS holds the ownership records of virtually every registered company in Kenya, the leak was both a privacy incident and a national-security and transparency concern.
What happened
Attackers accessed BRS systems over the weekend and exfiltrated a broad slice of the company registry. The exposed data reportedly included:
- Company registration details and incorporation records.
- Directorship information and the identities of beneficial owners — the real people behind corporate entities.
- Records from the Office of the Official Receiver, covering companies in financial distress or insolvency.
The stolen information was offered for sale on dark-web marketplaces. Notably, reporting indicated the trove exposed the business interests of President William Ruto and the Kenyatta family, alongside thousands of private firms — making the breach politically explosive as well as commercially sensitive.
Response
BRS took its online database offline in the immediate aftermath. Director General Kenneth Gathuma said the agency had "strengthened its security protocols" and notified cybersecurity experts and law-enforcement agencies, with investigations ongoing. Investigators reportedly ruled out ransomware as the motive and explored the possibility of an internal actor, given the depth and speed of the data extraction. As of disclosure, no group had been definitively identified and exact record counts were not published.
Why it matters
Beneficial-ownership registries exist precisely to fight money laundering, tax evasion and corruption by revealing who really controls companies. When that same registry is breached and sold, the data becomes a powerful tool for the opposite ends — enabling fraud, targeted social engineering, blackmail and competitive espionage. The BRS incident landed amid a wider 2024–2025 wave of attacks on Kenyan public bodies (including the Kenya Urban Roads Authority and the Micro and Small Enterprise Authority), intensifying scrutiny of how the country secures the centralised digital infrastructure it has rapidly built. It also sharpened debate over the enforcement powers of Kenya's Office of the Data Protection Commissioner and the resilience of government data custodians entrusted with sensitive national records.
Timeline
On the night of Friday 31 January, attackers exfiltrate data from the Business Registration Service's systems.
Stolen records — company ownership, directorships and beneficial owners — surface for sale on dark-web marketplaces.
Reports note the trove exposes the business interests of President William Ruto and the Kenyatta family, among many private companies.
BRS takes its online database offline and says it has strengthened security protocols; investigators reportedly suspect possible insider involvement and rule out ransomware.
BRS Director General Kenneth Gathuma confirms investigations are ongoing and that cybersecurity experts and law enforcement have been notified.
Sources
- techpoint.africahttps://techpoint.africa/2025/02/03/kenyas-business-registration-service-data-breach/
- ntvkenya.co.kehttps://ntvkenya.co.ke/news/cyberattack-on-govt-agency-leaks-private-details-in-major-data-breach/
- kenyanews.go.kehttps://www.kenyanews.go.ke/govt-issues-cyber-security-alert-over-potential-data-breach/