The High Court is set to deliver its judgment on May 13 in a high-stakes petition accusing Safaricom PLC of overseeing a massive data breach allegedly affecting over 11.5 million subscribers.

The case comes after the close of oral and written submissions, with a group of subscribers claiming the telco failed in its duty as a data controller to protect sensitive personal information.

The petitioners allege that between 2018 and 2019, Safaricom’s systems were infiltrated through a coordinated scheme involving rogue employees who unlawfully accessed and extracted subscriber data. The data, they claim, was later shared with third parties, including betting firms, for commercial gain.

Court documents cite WhatsApp messages allegedly linking employees to the scheme, suggesting what the petitioners describe as widespread and unchecked access to personal data.

Through their lawyer, Mola Kimosop, the subscribers argue that Safaricom failed to implement basic safeguards, allowed illegal access and sale of data and may have benefited from the scheme—thus bearing full responsibility.

They insist the breach was systemic, not isolated and violated constitutional rights to privacy, dignity and consumer protection under the Constitution of Kenya, 2010.

However, Safaricom PLC has dismissed the case as a “textbook abuse of court process,” urging its outright dismissal. The company argues the matter is already subject to multiple proceedings, including constitutional, civil and criminal cases tied to the same allegations.

Safaricom contends that pursuing parallel suits amounts to forum shopping and undermines judicial efficiency, citing the case of Satya Bhama Gandhi v Director of Public Prosecutions & 3 Others to support its position.

The telco also challenges the evidence presented, saying the petitioners have not proven their data was compromised. It argues that reliance on general claims and M-Pesa statements does not establish unauthorized access or data sharing.

Further, the company disputes the existence of the alleged 11.5 million subscriber dataset, stating no admissible evidence has been produced to confirm it was ever created or distributed.

A key flashpoint is the affidavit of Benedict Kabugi, which Safaricom argues is inadmissible since it was introduced as an annexure rather than formally filed. The company also notes Kabugi is neither a party nor an independent witness and is facing criminal charges linked to the alleged breach, making his testimony unreliable.

On liability, Safaricom maintains it cannot be held responsible for criminal acts by former employees, arguing such actions fell outside the scope of their duties and were carried out for personal gain.

The court’s ruling is expected to set a significant precedent on data protection, corporate liability, and the scope of constitutional rights in Kenya’s digital age.