KenyanHour

Safaricom PLC, long hailed as the crown jewel of Kenya’s digital revolution, is now at the center of a damning international campaign. A coalition of human rights lobby groups is preparing to petition Vodacom, Safaricom’s parent company, alongside global regulatory entities in Europe and the United States, over what they describe as systematic complicity in state surveillance, unlawful abductions, evidence fabrication, and one of the largest data breaches in African history.

The petition, set to be lodged in Johannesburg, London, and Brussels, is built around a sweeping dossier of allegations. It paints Safaricom not merely as a passive telecom operator occasionally bending to government pressure, but as an active partner in the criminalization of dissent and the erosion of privacy rights for over 43 million Kenyans.

At stake is not just the reputation of East Africa’s largest telecommunications company, but the credibility of Vodacom and its ultimate shareholder, Vodafone Group Plc, in maintaining human rights standards across its global operations.

The Petition’s Core Demands

According to drafts seen by investigative desk, the lobby coalition’s petition demand:

• An independent forensic audit of Safaricom’s data servers and security systems.
• Full disclosure of all state requests for customer data from 2018 to 2025.
• A binding framework preventing Safaricom from releasing subscriber information without judicial authorization.
• Compensation mechanisms for victims of data leaks, fabricated prosecutions, and politically motivated abductions allegedly facilitated through Safaricom’s infrastructure.
• Potential sanctions by international regulators if Vodacom fails to act.

The petition is not framed as a polite request but as a direct indictment of Safaricom’s role in State surveillance in Kenya. 

The Case of David Oaga Mokaya: Spark of the Fire

The petition anchors itself in the ongoing trial of David Oaga Mokaya, a 24-year-old Moi University student arrested in November 2024 for posting a satirical image of President William Ruto’s coffin on X. His case might have been dismissed as another example of Kenya’s overzealous cybercrime prosecutions — except for one detail:

In open court, a Safaricom witness admitted that Mokaya’s subscriber data was handed over to investigators without a court order.

This single disclosure set off alarm bells for digital rights defenders worldwide. It not only undermined the prosecution’s case but also confirmed what had long been whispered: that Safaricom routinely provides state agencies with private user data outside the framework of the law.

For the lobby group, Mokaya’s case is Exhibit A — the most public proof yet that Safaricom’s compliance has turned phones into instruments of surveillance rather than tools of freedom.

A Trail of Abductions

The Mokaya case is not an isolated instance. The petition catalogs more than two dozen cases of activists, bloggers, and community organizers who vanished under mysterious circumstances between 2020 and 2024.

In each case, relatives later discovered that the victims’ last mobile signals had been traced within minutes of their disappearance. In some instances, MPESA transaction logs — available only to Safaricom — were cited in police inquiries.

The lobby group argues that this pattern shows a systematic use of Safaricom’s data systems to track dissenting voices, leading in some cases to abductions or enforced disappearances. Families of victims have joined the petition as co-signatories, transforming it from a policy critique into a human rights demand with faces and names.

The 43 Million-User Data Breach

If Mokaya’s case revealed the misuse of Safaricom’s data by the state, the Central Development Server (CDS) breach exposed just how insecure that data is in the first place.

In late 2023, hackers infiltrated the CDS — Safaricom’s big-data environment under CFO Dilip Pal — and extracted records affecting virtually every subscriber. These included call metadata, device fingerprints, geolocation trails, and MPESA transaction histories.

More than 43 million Kenyans were exposed in one of Africa’s largest-ever data breaches. The leaked records were raw, unencrypted, and comprehensive, allowing attackers to reconstruct individuals’ private lives in chilling detail.

Instead of disclosing the breach as required under the Data Protection Act (2019), Safaricom allegedly colluded with state agencies to cover it up. Their chosen scapegoat was an IT employee, Saikumar Allaka, arrested and charged with leaking the data.

The prosecution collapsed when AWS confirmed that the alleged account used to siphon data never belonged to Safaricom. Allaka was acquitted in April 2024, but by then his life had been destroyed — and the breach remained unacknowledged.

This concealment forms the second pillar of the lobby petition: that Safaricom not only failed to secure customer data but also fabricated evidence with the state to protect its executives.

The Machinery of Fabrication

The petition dedicates an entire section to what it calls the “Safaricom-DCI forgery machine.”

Internal memos and testimony point to the company’s Corporate Security Division, led by Eric Anderson Kabugo Mugo, as the hub where evidence was allegedly manufactured. Among the practices cited:

• Uploading falsified forensic exhibits into court files.
• Tampering with seized laptops by altering serial numbers.
• Introducing unsigned documents as official DCI exhibits.
• Smuggling fabricated AWS account data into prosecution bundles.

These practices, according to the petition, demonstrate not just negligence but active collusion with law enforcement to manipulate the justice system.

International Implications

The lobby group is not limiting itself to Vodacom. The petition is being prepared for submission to:

• The European Data Protection Board (EDPB) in Brussels, urging an inquiry into Vodafone Group’s compliance with GDPR principles through its African subsidiaries.
• The U.S. Federal Trade Commission (FTC), citing AWS’s confirmation that its infrastructure was misrepresented in court filings.
• The UN Working Group on Enforced or Involuntary Disappearances, linking Safaricom’s alleged data handovers to cases of abductions in Kenya.

The goal is clear: to lift the scandal out of Nairobi courtrooms and into the international regulatory spotlight, where Vodacom and Vodafone can no longer hide behind Kenyan political protection.

The Vodacom Dilemma

For Vodacom, headquartered in South Africa, the petition poses an existential reputational risk. For years, it has paraded Safaricom as its flagship success story in Africa, a model of mobile money innovation through MPESA and rural connectivity.

Now, that same subsidiary stands accused of gross human rights violations. Vodacom’s silence will be read as complicity; intervention will mean confronting a powerful Kenyan state ally.

Vodafone, which touts global principles of human rights and data protection, may find itself cornered. The lobby group’s petition is designed to force executives in Johannesburg and London to either defend Safaricom’s conduct or demand sweeping reforms.

Crisis of Trust at Home

Meanwhile, ordinary Kenyans are left wondering whether their most private transactions are safe. The revelations have fueled distrust of MPESA, once celebrated as a symbol of financial inclusion. If Safaricom’s databases are both vulnerable to hackers and open to state abuse, can any Kenyan truly trust that their digital lives are secure?

Civil society groups argue that Safaricom has crossed the line from corporate negligence into corporate criminality. They want Vodacom and Vodafone to recognize Safaricom as a liability — not just for shareholders, but for democracy itself.

Conclusion.

The Mokaya case, the CDS breach, and the scapegoating of Allaka are no longer isolated scandals. They have coalesced into a global petition that could redefine Safaricom’s future.

For the lobby group, this is not just about one company. It is about setting a precedent that no corporation, however profitable, should be allowed to collude with states in surveillance, abductions, and evidence fabrication without consequence.

As the petition lands on Vodacom’s boardroom table and makes its way to Brussels, Washington, and Geneva, Safaricom faces the most dangerous trial of its two-decade existence.

The verdict may no longer be decided in Nairobi courts — but in the international arena, where reputations are harder to launder and accountability cannot be so easily fabricated.