| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Laws reviewed by the court |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 19 March 2024 |
| Decided: | 17 June 2024 |
| Published: | Yes |
| Fine: | KES.500,000 |
| Parties: | Kennedy Wainaina Mbugua vs Bolt Operations Kenya Limited |
| Case No.: | 497 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Kenney Wainaina Mbugua alleged Bolt unlawfully accessed his account, resulting in fraudulent transactions. Bolt claimed Mbugua was a victim of a phishing scam, not a data breach. The ODPC found Bolt liable for violating Mbugua's data access rights and ordered them to pay compensation.
On 19th March 2024, Kenney Wainaina Mbugua filed a complaint with the Office of the Data Protection Commissioner (ODPC) against Bolt Operations Kenya Limited (Bolt). Mbugua alleged that Bolt unlawfully accessed and processed his personal information, resulting in the disclosure of his personal data to third parties who used his Bolt driver account information for fraudulent purposes.
Mbugua claims that on 15th May 2023, he was contacted by a woman who informed him that his Bolt account was being used by a different driver, raising concerns of unauthorized access. He experienced difficulties logging into his account, with his email and password no longer recognized. Mbugua discovered unauthorized rides taken under his account.
Despite multiple attempts to contact Bolt for assistance, he received no response. Mbugua alleges that fraudulent rides were conducted under his identity. He reported the matter to Bolt and the police, but there was no resolution. Mbugua argues that Bolt compromised his privacy, exposed his account to fraud, and failed to protect his privacy, contrary to the Data Protection Act.
He submitted evidence including a judgment in a previous case, a witness statement, email correspondence with Bolt, screenshots of his Bolt account, screenshots of a WhatsApp conversation, and screenshots of messages from Bolt.
Bolt responded to the allegations on 10th May 2024, denying unlawful and illegal access to Mbugua's personal data. Bolt claims it upholds data processing standards and provided the ODPC with a Privacy Notice for Drivers to demonstrate lawful bases for processing personal data. Bolt asserts that processing Mbugua's personal data was necessary for the performance of his contract with the company as a driver.
Bolt argues that Mbugua had been a registered and active driver on its platform since April 2021. Bolt denies any involvement in fraudulent activities using Mbugua's data, attributing it to malicious actors. They claim an internal investigation absolved Bolt and its agents of any complicity in the unauthorized access to Mbugua's account.
Bolt contends that Mbugua shared his personal data with perpetrators during a phishing attack. The perpetrators allegedly obtained Mbugua's identification card, SMS confirmation code, and account password via WhatsApp.
Bolt claims the perpetrators used this information to modify Mbugua's international bank account details. Bolt states that it has customer support verification procedures in place to protect driver privacy when receiving requests related to their accounts.
Bolt's internal investigation identified procedural oversights involving customer support agents regarding account detail change processes. They acknowledged that a customer support agent incorrectly advised a sender to share their government ID, contributing to the account change. Bolt further claims its customer support team escalated the fraud case to its privacy team and the fraudster's devices were blacklisted between 16th and 17th May 2023.
They submitted evidence of their efforts to investigate the allegations and cooperate with the ODPC, including a site visit on 31st May 2024.