- British Standards Institute says Safaricom customer data safe
- Safaricom network and technology products not accessed by rogue third-parties
- Expert-led penetration testing and validated vulnerability assessment services done on Safaricom network
There have been questions about the safety of Safaricom’s customer data by a cross-section of Kenyans after a false report in the media indicated that Safaricom aids in police abductions by giving unauthorized access to customer real-time location data to third parties agencies such as the Director of Criminal Investigations (DCI).
However, the British Standards Institute, which conducts expert-led penetration testing and validated vulnerability assessment services, has awarded Safaricom the ISO 27701 Privacy Information Management System (PIMS) certificate after a comprehensive evaluation.
British Standards Institute (BSI)’s ISO 27701 Privacy Information Management System (PIMS) assessment looked into Safaricom’s crucial systems such as the Customer Relationship Management (CRM), IP Contact Centre (IPCC), Tibco, Converged Billing System (CBS), Voucher Management System (UVC), M-PESA G2, M-PESA Statement Portal, M-PESA Super App, MySafaricom App, and the M-PESA business App. It was keen on effective system controls for the protection of personal information, implementation of relevant policies including the Data Protection Policy as i
BSI is CREST-accredited and approved by the UK’s National Cyber Security Centre (NCSC) as a CHECK provider and is authorized to conduct penetration tests, known as IT Health Checks (ITHC), for government, private sector and critical public sector bodies. BSI identifies security vulnerabilities within a company’s IT systems using state-of-the-art vulnerability scanning tools and in-depth manual penetration testing techniques. BSI’s validation process thoroughly scrutinizes networks for any vulnerabilities and recommends remediation actions.
Safaricom’s network went through BSI’s simulations and intense penetration testing, and there was no customer data exposure to rogue third-party companies. BSI dug into Safaricom’s network to check for any potential threats, found that the network’s integrity and confidentiality was intact and there were no security weaknesses or third party access on its IT systems.
There is no way, Safaricom, with over 45.9 million customers, supporting over 1.1 million jobs both directly and indirectly and a total economic value $ 4.2 billion, with annual revenues of close to KES 335.4 billion and running M-PESA, the world’s largest mobile payment system serving over 32.1 million customers and generating over KES 139.9 Billion in revenue, will take security casually.
On matters politics and abductions Safaricom reaffirms that it has not shared any single customer data and does not involve itself in politics.
“We respect our customer’s privacy and adhere strictly to the country’s data protection laws. As such we do not share any customer data unless explicitly required of us via a court order. On the current issue in discussion, we have not received any court order requiring us to share customer information with any government agency,” Safaricom wrote in a statement.
The ISO 27701 Privacy Information Management System (PIMS) certificate validates Safaricom’s dedication to safeguarding customer data across its GSM and M-PESA services and shows Safaricom adheres to globally accepted regulatory and technical standards in customer privacy and data protection.
This is not the first such security certification, Safaricom has received the Information Security Management Systems (ISO 27001 – ISMS) and the Payment Card Industry Data Security Standard (PCI DSS version 4.0) both for its systems security and payment safety standards. Additionally, the company recently achieved the latest and highest level of PCI DSS Certification (upgraded from v3.21 to v4.0).