BRS that is the Business Registration Service has experienced a data breach which has exposed sensitive details of approximately 2 million Kenyan companies. The BRS is an agency under the Attorney General’s office responsible for company registration.
According to reports, the breach occurred on January 31, 2025, and this means that corporate data which includes personal information of company directors and beneficial owners is now publicly accessible online. The stolen data is reportedly being sold on private websites, raising serious concerns about privacy, identity theft. The data breach was as a result of a cyberattack targeting the BRS.
The data which is available online includes.
- Names of company directors and beneficial owners.
- Business registration details.
- Company financial records.
- Proprietor contact details.
The breach came to public attention when users began reporting that corporate registration data was freely available on b2bhint.com. This is a platform that aggregates business registration records from various global sources. The website allows anyone to search for companies by name or registration number, exposing personally identifiable information (PII) in seconds.
If you visit b2bhint.com, you can search for any company registered in Kenya between 2015 and 2021, and you will find detailed information, including:
- Company ownership structure
- Share distribution
- Names and details of directors and beneficial owners
In many cases, the data even includes sensitive personal identifiers like national ID numbers, contact information, and business affiliations. Social media users were quick to raise alarm, with some confirming that company data dating back to 1967 was now accessible.
The Business Registration Service (BRS) issued an official statement acknowledging the reports and confirming that they had launched an internal investigation. The agency stated that they had activated their Incident Response Plan and were working with cybersecurity experts, law enforcement agencies, and regulators to assess the situation.
𝗢𝗳𝗳𝗶𝗰𝗶𝗮𝗹 𝗦𝘁𝗮𝘁𝗲𝗺𝗲𝗻𝘁 𝗼𝗻 𝗮 𝗣𝗼𝘁𝗲𝗻𝘁𝗶𝗮𝗹 𝗗𝗮𝘁𝗮 𝗕𝗿𝗲𝗮𝗰𝗵 – 𝗙𝗲𝗯𝗿𝘂𝗮𝗿𝘆 𝟮, 𝟮𝟬𝟮𝟱 pic.twitter.com/NwhdvbvaGP
— Business Registration Service (BRS) (@BRS_Kenya) February 2, 2025
The BRS Director-General, Kenneth Gathuma, assured the public that the agency was taking urgent steps to contain the breach, but admitted that they were still verifying the full extent of the attack. “Once the investigation is complete, we will provide an update and directly engage with any affected parties,” Gathuma stated.
However, BRS did not explicitly confirm what data was leaked, how many individuals were affected, or whether the attackers demanded a ransom. They also did not explain how the breach occurred, leaving speculation open as to whether it was an internal leak or a coordinated external cyberattack.
A report published by Nation Media Group cites sources close to the investigation suggesting that the attack could have been facilitated by an internal actor. Also, cybersecurity analysts noted that the BRS online database had been taken offline, raising suspicions that either the attackers disabled the system or authorities shut it down to prevent further exposure.
Unlike ransomware attacks, where hackers encrypt data and demand payment for its release, this breach appears to involve direct data exfiltration, where stolen information is placed on the dark web and other public domains.
Despite the severity of the breach, Kenya’s Office of the Data Protection Commissioner (ODPC) has yet to release an official statement. The lack of immediate government communication has fueled frustration, with critics calling for accountability and stricter data protection enforcement.
Others have demanded answers on how this breach could happen under Kenya’s 2019 Data Protection Act, which requires strict safeguards for handling personal data. The law mandates organizations to notify affected parties when breaches occur – but so far, no individual or company has received direct notification from BRS.
The BRS breach presents significant risks, including:
- Identity theft: Cybercriminals could use leaked PII for fraudulent financial activities.
- Corporate espionage: Competitors can access sensitive company ownership details.
- Blackmail and extortion: Private business records could be exploited for illicit gain.
- Phishing attacks: Scammers may use leaked emails and contact information for targeted fraud.
If you or your company is registered under BRS, you should:
- Change your eCitizen password immediately
- Monitor financial transactions and business dealings
- Beware of unsolicited messages or phishing attempts
- Consult legal or cybersecurity experts for risk mitigation