The Office of the Data Commissioner informed a Senate committee on Tuesday that Naivas Supermarket failed to report an alleged data breach affecting thousands of customers within 72 hours as required by law, risking a fine of up to KES 5 million.
Data Commissioner Immaculate Kassait said her office has launched a full investigation into the breach first reported in March and is auditing Naivas’ data protection practices and cybersecurity measures.
“My office has initiated a post-breach audit to fully understand the circumstances surrounding this data breach,” Kassait told the Information, Communication and Technology Committee. “If the organization is found to be negligent in safeguarding customer data, we will take the necessary punitive actions.”
In April, Naivas announced it was the victim of a ransomware attack by an online criminal organization that may have compromised some customer data. The company however said it contained the attack and secured its systems.
Read more: KPLC calls for partnerships to electrify informal settlements
Senators pressed Kassait for more details on the scope of the breach and measures taken to assist affected customers.
“Our constituents’ personal and financial data is out there unprotected. We need answers,” said Nominated Sen. Shakila Abdalla.
Committee chairman Allan Chesang said the panel plans to summon Naivas CEO Willy Kimani to testify on the timeline of the breach, number of customers impacted, and steps the company has taken to strengthen data protections.
“We want to get to the bottom of this breach which has deeply shaken public trust,” Chesang said.
Under Kenya’s 2019 Data Protection Act, companies must report data breaches within 72 hours or face fines of up to KES 5 million. Individuals found culpable could face up to 10 years imprisonment.
