Kenya’s Business Registration Service (BRS) has suffered a major cyber attack, exposing confidential data on businesses and their owners. Investigators have ruled out ransomware, but the stolen data is already being circulated on the dark web.
A Breach with Serious Implications
The cyberattack, which took place on 31 January, has prompted immediate action from BRS. The organisation’s Director General, Kenneth Gathuma, confirmed that an Incident Response Plan had been activated. However, the public database has been taken offline, though it remains unclear whether this was a precautionary measure or a direct result of the breach.
BRS, one of Kenya’s most data-rich government agencies, holds detailed records on registered businesses, their directors, and beneficial owners—information that is typically accessible only through official channels and for a fee. Additionally, sensitive documents from the Office of the Official Receiver—which manages businesses facing financial distress—may have also been exposed.
Despite the severity of the attack, investigators have ruled out ransomware, a tactic commonly used in previous cyberattacks on Kenyan institutions. This incident is the most significant government data breach since the 2023 cyberattack on Kenya Airways.
Government Response and Next Steps
Kenyan data protection laws require BRS to assess the extent of the damage and notify affected individuals. The agency has pledged full transparency and is working with law enforcement, cybersecurity experts, and investigative agencies to contain the breach and mitigate its consequences.
As cybersecurity threats continue to evolve, this breach underscores the urgent need for stronger data protection measures in Kenya’s public sector.
