A court has ruled that Safaricom failed to protect a customer whose mobile line was swapped by fraudsters, leading to the theft of Sh4.4 million from her Diamond Trust Bank (DTB) account.
The High Court dismissed appeals from both Safaricom and DTB, ordering them to repay the customer, Mercy Wairimu Kariuki, in full.
Safaricom is liable for 60 percent of the loss, while DTB must cover the remaining 40 percent.
The judgment makes it clear that a bank cannot hide behind a customerโs PIN and a telco cannot claim it is just a “pipe” when its systems are used to commit fraud.
The trouble for Kariuki began on 6 February 2022, when fraudsters swapped her Safaricom line. She noticed the problem immediately and called Safaricom customer care, who confirmed the swap and told her to visit a shop.
She went the next day and her line was restored. However, it was too late.
The next morning, DTBโs alert system sent messages confirming a series of unauthorized withdrawals and transfers.
Over three separate days, Sh4,418,601 was taken from her account and moved to multiple bank accounts and mobile numbers. Kariuki had never shared her PIN and had banked with DTB for years.
She did exactly what a customer is advised to do after a SIM swap, yet she still lost a huge sum of money and then spent over four years in court to prove it was not her fault.
DTBโs defense in court was predictable. The bank argued that the transactions were authenticated with the correct secret PIN, which it claimed was sufficient proof of identity.
It also said the transfers were spread over three days and did not break its daily limit of Sh2 million.
More troubling, DTB tried to get the case dismissed on a technicality, arguing it should have been handled under data or communications laws rather than as a straightforward negligence claim.
Safaricom, in its cross-appeal, took a different approach. It insisted that its job is only about providing telecommunications infrastructure, claiming it has no control over what happens when a customer logs into their bank’s app.
The High Court rejected both arguments. Justice Asenath Ongeri found that DTB ignored obvious red flags, such as rapid, large transfers to multiple unrelated accounts, which should have triggered a manual review regardless of the PIN matching.
On Safaricom, the court ruled that allowing the SIM swap in the first place was a direct cause of the loss. The telco cannot outsource responsibility for compromising a customerโs digital identity just because a third party later took advantage of that compromise.
The court upheld the original decision from the Mavoko Chief Magistrateโs Court, which had apportioned liability at 60 percent for Safaricom and 40 percent for DTB.
Both appeals were dismissed with costs.
This is not an isolated incident. Court records show a pattern of mobile-money security failures that have been known for years. In 2022, a senior police officer testified that fraudsters swapped his SIM and drained his accounts while his phone was in his pocket.
In another case, a medical lab scientist was left stranded abroad after scammers swapped his line and stole millions from his bank accounts. While courts have not always sided with victims, the Kariuki case shows a growing willingness to hold both telcos and banks accountable.
Safaricomโs own disclosures have revealed that it fired dozens of employees for fraud-related offences, with a significant number linked directly to SIM swap fraud. This indicates the problem is not purely external and has, at times, been assisted from inside the company.
The Kariuki ruling is also connected to a wider data governance scandal at Safaricom. In a separate judgment, the High Court confirmed that Safaricom employees had systematically extracted the personal, financial and location data of an estimated 11.5 million subscribers over seven years and sold it to third-party betting companies.
The court awarded damages to the petitioners and established a constitutional record of failure. This shows a company that has failed to secure the SIM-based identity layer that underpins Kenyaโs entire mobile banking system and has allowed its own employees to harvest and sell the personal data of millions of subscribers.
Safaricom has acknowledged the problem by rolling out a SIM-Swap-Check API for partner banks. Yet the Kariuki case, which happened in 2022, shows that even with such tools, the fraud can still succeed against a customer who did everything right.
The core issue is that Kenyaโs mobile banking revolution was built for convenience first, and security was a secondary concern. When the system fails, the instinct of both telco and bank is to blame the customer and fight in court for years rather than pay compensation.
Mercy Kariuki reported her SIM swap the same day it happened. She followed every instruction and never shared her PIN. She still lost Sh4.42 million and had to fight for more than four years to get it back.
The same phone number that failed her is still used as near-conclusive proof of identity for millions of Kenyans across banking, mobile money and government services.
This is a single point of failure that fraudsters have turned into a business model. The question now is whether Safaricom and Kenyaโs banks will treat this judgment as just another cost of doing business, or whether this ruling will finally force them to re-engineer the system itself.











Add Comment