Kenya Airways (KQ) last month faced a cyber attack where an unauthorized actor tried to access the airline’s systems.
The cyberattack is believed to have been carried out by Ransomexx ransomware group on December 30, 2023 leading to a massive data leak including highly sensitive and confidential data that they uploaded on the dark web.
Documents leaked cover aircraft accidents, investigation reports into employee misconduct like fraud, theft, policy violations.
A huge volume of internal Kenya Airways data compromised including; insurance policies, confidential agreements, passwords, customer complaints, alleged sexual harassment incidents. The exposed files also contain files relating to accidents, as such documents were named ‘Accident docs’, ‘Accident investigations’, ‘Accidents’, ‘Air Accident Investigations’, and ‘Investigation Reports.’
The leak also contains details of politically exposed people. This has dealt a blow to Kenya Airways for failing to secure the safety of customers data and exposing the airline to cybercriminals. This breach also could enable theft and fraud from the employees and customers leaked data.
The actor then demanded a ransom from KQ, which was declined.
KQ recently informed the Office of Data Protection Commissioner (ODPC) of the incident in line with the transparency policy and the Data Protection Act protocols.
Individuals whose limited information was accessed were contacted and engaged.
After the incident, the airline’s technology security professionals adopted precautionary measures to prevent future attacks.
Cyberattacks are a common occurrence across many sectors, and Kenyan companies, like other businesses globally, are not immune to these attacks.
Kenya has in place data protection legislation amidst rising cyber security concerns.
The Data Protection Act of November 8, 2019, safeguards individuals’ privacy and prevents unauthorized access, circulation, and disclosure of personal data through any medium.
Breaches by individuals carry severe penalties from the ODPC.
The act outlines offenses that include accessing personal data without proper authorization, disclosing it to third parties, or attempting to sell such data obtained through breaches.
Those found guilty may face penalties including fines up to three million shillings, imprisonment for up to ten years, or both.