Data from 11.5 million customers of M-PESA land on the black market

Maximilian Henning

Picture: wrcomms, licensed under CC BY-SA 2.0

M-Pesa is a Kenyan system for cashless payment. This business model of the Kenyan communications provider Safaricom is based on the transfer of data. Now, employees of the provider have also leaked the personal information of 11.5 million users. The case ends up in court.

Now Kenya also has its data protection scandal. The data of 11.5 million customers of the telecom provider Safaricom has landed on the black market. These are not only clear names, mobile numbers and the location, as one would expect from a mobile phone provider. This is also about gambling: exact transactions, on which platforms a customer bet how much.

Safaricom also operates the extremely successful M-Pesa mobile payment system in Kenya. The system can be found at every corner, in every kiosk. Users can deposit money at these kiosks. They can then simply send this credit on by SMS, for example to betting sites.

Message from “Mark” and “Charles

The current affair begins when on 18 May two men named “Mark” and “Charles” report to a man named Benedict Kabugi Ndun’gu and offer him the data of 11.5 million gamblers. He searches the dataset, finds his own data – “I have occasionally used my number for gambling” – and is then convinced of the authenticity. Ndun’gu reports for several weeks to various police authorities and even Safaricom itself. He is held up and instructed to keep the potential seller on his toes. At least that’s how he presents himself in the lawsuit he’s now filed against Safaricom.

“I now found myself in a unique position, to say the least, while waiting for feedback from the policeman and [Safaricom] and thinking up all kinds of lies,” he writes in the complaint against Safaricom. Ndun’gu was then arrested for one night without giving any reasons and the next day helped the police nevertheless to arrest the two providers in a sting operation.

These led the police to the source of the leak: two high-ranking Safaricom employees. A court then opened the case against them, but with a small surprise for Ndun’gu: “That Charles and Mark, who had illegally accessed the data, had not been charged and had not yet been charged, but are listed as witnesses.

Instead, Ndun’gu himself was arrested and charged again. According to the prosecution, he tried to blackmail Safaricom with the stolen data between May 1 and June 7.

Kenya is proud of M-Pesa

This scandal is not the exception that confirms how well data protection works at Safaricom otherwise. M-Pesa and the surrounding ecosystem have institutionalized the lax handling of data, could not function without it.

M-Pesa was introduced in 2007 as a microcredit settlement system, but then expanded by Safaricom into a general cashless payment system. Today, 20 million Kenyans use M-Pesa or comparable systems, according to a recent study by the central bank and the NGO FSD Kenya. Mobile payment is a top priority in Kenya, M-Pesa a Kenyan success story.

In September 2016, Mark Zuckerberg visited Kenya “to learn something about mobile payment,” as he then said Kenya was the world market leader. And after Facebook announced its own currency Libra this month, there was speculation whether the strong culture of mobile payment in Kenya would be an advantage for Libra or whether M-Pesa would prevail as an established solution.

The miracle weapon against poverty

International media have been celebrating M-Pesa for years. “Why does Kenya lead the world in mobile payment” was the Economist 2015’s headline, CNN dedicated a jubilant biography to the system for its tenth birthday in 2017.

“Access to Kenya’s M-Pesa mobile payment system increased per capita consumption and helped 194,000 households, or two percent of Kenyan households, out of poverty.” This is the conclusion of a study from 2016, which quickly became the often cited core argument of the argument that development aid can also be profitable.

A brief history of Safaricom

And that’s M-Pesa: the parent company Safaricom is now the most profitable in East Africa. The company alone represents forty percent of the value traded on the Kenyan stock exchange. If there is a definition of “too big to fail”, then this is safari com for Kenya.

The former division of the state-owned postal and telecommunications provider was partially privatised in 2008. Today, the state holds 35 percent of the shares, 25 percent are freely traded on the stock exchange and the rest is owned directly or through the subsidiary Vodacom by the British company Vodafone. In financial year 2018, Safaricom’s turnover with M-Pesa grew to 75 billion shillings (640 million euros), one third of total turnover. Shareholders received a bonus of the same amount.

 “Another False Messiah”

“This shows that, based on the tiny transactions of the poor, M-Pesa creates significant value, which is largely conjured away by dividend payments to foreign investors in other countries,” conclude the authors of the study “Another False Messiah: The Rise and Rise of Fin-Tech in Africa”.

The M-Pesa-vertreibt-die-Armut study contains “a surprising number of errors, omissions, bad logic and methodological errors,” criticize the authors. It was also largely funded by FSD Kenya and the Gates Foundation, both very interested in expanding digital finance. FSD Kenya? Yes, exactly the NGO that is also responsible for the FinAccess study on the dissemination of these services in Kenya.

The authors of “Another False Messiah” compare the M-Pesa system with the exploitation of the poor in the USA before the 2008 financial crisis through gambling, mortgages and short-term loans. Just like then, poor people in Kenya are now being exploited by the “digital exploitation” of transaction fees and interest rates.

And indeed, the fees for withdrawing M-Pesa as cash can be as high as 17 percent for small amounts. Whoever withdraws the minimum amount of 200 Schilling, around 1.72 Euro, from a vending machine pays the equivalent of 29 Cent as a fee.

Creditworthiness, determined by algorithm

At least you can transfer small amounts for free, up to three times a day. This can be done simply by SMS. The catch: SMS are not encrypted and can therefore simply be read – and with it the transfers made via them.

This is exactly what an important component of the M-Pesa system does: Apps for instant credits. Install the app, give permission to read the news, and the user has access to credit. More than eight percent of adults in Kenya use instant credit apps; three years ago it was less than one percent.

Two of the most popular of these apps, Tala and Branch, were examined in 2017 in a report by the NGO Privacy International. Both were developed in California for African and Filipino users. Both needed access to phone calls, contacts, messages and GPS location.

From this data, an algorithm is used to determine whether a loan is approved or not. Tala also evaluated whether enough messages are sent to contacts stored under “Mama” or whether the number is called often enough: “Her analysis has shown that people who call their family regularly are four percent more likely to repay their loans. Branch needed access to the user’s Facebook account and evaluated the behavior of friends.

“How Tala Mobile is Using Phone Data To Revolutionize Microfinance,” Forbes titled an interview with Tala’s founder. “If privacy was important to Kenyan consumers, we would offer it,” a Kenyan M-Kopa employee told Privacy International. This company offers solar panels in installments, equipped with SIM cards. These transmit to M-Kopa how much electricity is generated and what program is running on the connected TV. If the instalments are no longer paid, they switch off the solar panels.

Debts instead of bank accounts

To understand the success and danger of M-Pesa, you need to know two more facts. First, six out of ten Kenyans do not have a regular bank account. The most common reason: lack of savings. “Only one fifth of the adult population was considered financially healthy,” says the FinAccess report mentioned earlier. Secondly, almost ten percent of those who take out a loan via such an app cannot repay it. With traditional bank loans, the figure is only two percent. Sustainable financial development looks different, say the authors of “Another False Messiah”. South Africa serves as a cautionary example.

There is also another problem: gambling. Because that is booming in Kenya. Five years ago the industry was still worth 2 billion shillings, now it is 200 billion. More than three quarters of the young people gamble, half a million have already been unable to repay a loan according to government authorities. This huge increase would hardly have been possible without simple remittances and quick loans.

Data protection law under discussion

Companies have now realised that this could be a potential image problem. Last week, 13 companies committed themselves to ethical lending practices. In October last year, some of the companies, including Branch and Tala, had already spoken out against parts of a Kenyan data protection law.

This law has been going through Kenyan legislation for a year now. A current draft provides that the data of Kenyan customers will only be stored on.

Lawsuit demands 115 trillion

In the current case, the plaintiff Ndung’gu now vehemently denies that he ever blackmailed Safaricom with the stolen 11.5 million records. He also takes offence at the fact that Safaricom has not yet sent any of the victims a message or apology. Ndun’gu is complaining about this in a spectacular way: In his indictment, he demands 10 million Kenyan shillings for each of the 11.5 million victims. In total that would be 115 trillion shillings – equivalent to 990 million euros.

“I hope that the court will make a decision that will ensure that the giant who receives the application treats the question of data protection with the seriousness it deserves and that a leak of this kind never happens again,” the indictment says.

Published under the Creative Commons BY-NC-SA 4.0-Lizenz / First published



Print Friendly, PDF & Email