I&M Bank House, 5th Floor, 2nd Ngong Avenue, Upper Hill, Nairobi, Kenya

Bolts Blunder the KES 500, 000 Cost of Lax Data Breach Management

Office of the Data Protection Commissioner (ODPC

Background of the Case

In the case of Kennedy Wainaina Mbugua v Bolt Operations OU, Bolt Support Kenya Limited, Mbugua, the Complainant and a registered Bolt driver since April 2021, filed a complaint with the Office of the Data Protection Commissioner (ODPC) alleging fraudulent activity and unauthorised access involving his Bolt Driver Account.

The Complainant had been contacted by an individual purporting to be a Bolt employee, who had claimed that his account had been used by another Bolt driver. To resolve this, he was instructed to verify his identity by providing his personal information, including selfies and his National Identification Card. The following day, he noticed his account login credentials had been changed and fraudulent rides had been conducted using his account. Although he contacted Bolt’s support team, no immediate assistance was provided to rectify this. The fraudsters went on to use his account to conduct 17 unauthorized rides totalling KES 26,250, all of which were corporate bookings.

The Complainant acknowledged his failings in providing his data to the alleged fraudsters without verifying the identity but claimed this may have been an inside job, citing previous dismissals owing to fraudulent activity. However, Bolt denied any involvement and attributed the incident to a phishing attack. Frustrated with Bolt’s inadequate handling of the matter and the support team’s failure to escalate it promptly, the Complainant submitted a complaint with the ODPC.

Determination by ODPC

Following an investigation by the ODPC of the incident, the Office determined that a personal data breach had occurred given that unauthorised individuals had accessed the Complainant’s personal data, including his name, email, phone number, trip history, and financial details. However, it also acknowledged Mbugua’s partial contribution to this unlawful disclosure.
The ODPC further determined that Bolt had infringed the Complainant’s data subject rights to correction of false or misleading data, under Section 26(d), and the right to access under Section 26(b). Despite his repeated efforts, Bolt’s Support Team did not recognise his requests as such and thus failed to address them accordingly in line with Bolt’s established DSR procedures.

The ODPC’s investigations had also uncovered Bolt’s failure to undertake a Data Protection Impact Assessment for its accounts management systems with regard to its Kenyan user accounts despite conducting large scale processing activities.

As a result, the ODPC concluded that Bolt failed to uphold its obligations under the Data Protection Act to:

  • ensure the security of personal data;
  • process personal data lawfully;
  • promptly address a data breach; and,
  • comply with the principle of data protection.

The Office ordered Bolt to compensate the Complainant KES 500,000.00 for its violations of his rights under the Act and issued an enforcement notice.

Key Takeaways

The ODPC’s determination stressed the importance of organisational responsibility for data security and appropriate incident management. Bolt’s failure to adequately handle the data breach and escalate and address the breach promptly only served to exacerbate its impact. Data controllers and processors must implement robust security measures to prevent authorised access in order to uphold the confidentiality, integrity and accessibility of personal data in their custody.

Bolt’s support team’s failure to recognise the Data Subject Rights (DSR) request is also evidence of failure on their part to provide effective data protection training. All data handlers must ensure high data protection literacy within their staff so that they may effectively manage breach incidents and DSR requests.

Finally, this case serves as a significant lesson on the shared responsibility for data protection. While Bolt’s insufficiencies exacerbated the phishing attack, the Complainant’s inability to recognise the scam for what it was, was the inciting incident. Organisations still bear primary responsibility for protecting personal data; however, individuals must exercise caution before disclosing their personal information. A healthy dose of scepticism when it comes to invasive lines of questions is always necessary.

AUTHOR: Cherono Barno
Disclaimer: Nothing in this article should be construed as legal advice. Readers are advised to consult a qualified lawyer for specific guidance.