A cyberattack has compromised the Business Registration Services (BRS) in Kenya, exposing sensitive data about companies, their owners, and directors. The breach, which occurred on January 31, 2025, may have led to the sale of stolen data on the dark web. Although the attackers’ identities remain unclear, authorities suggest internal involvement. The BRS handles extensive data, including financial records of companies in distress, making the breach especially concerning. This incident marks the first major data breach of a government entity in over a year.
The breach has disrupted public access to BRS’s online services, raising doubts about the attackers’ impact on the system’s infrastructure. Authorities are still working to assess the full scope of the damage while adhering to Kenya’s data protection laws. The motive behind the attack remains unclear, though ransomware has been ruled out. This attack follows a string of cyber incidents, including a major breach involving Kenya Airways in 2023.
The stolen data includes detailed company registrations and financial distress records, which have historically been accessible only through paid requests.
The breach has sparked concerns about the integrity and security of government databases. As investigations continue, the Kenyan government is being urged to improve its cybersecurity measures to prevent future breaches. The BRS remains unavailable to the public, limiting the ability to check the extent of the breach.
This cyberattack highlights the vulnerability of critical infrastructure in Kenya and has prompted urgent calls for improved cybersecurity hygiene across government entities. The breach serves as a reminder of the potential risks faced by organizations holding large volumes of sensitive information. Kenyan authorities are expected to update the public as more details emerge.
Reference: