Digital lenders Tala and Branch are among the 40 that have been flagged for data breaches.


Digital lenders Tala and Branch are among the 40 that have been flagged for data breaches. The Office of the Data Protection Commission has blacklisted 40 Digital Credit Providers (DCPs), including Tala and Branch, due to possible data breaches involving customer information (ODPC).

A data breach is the unintentional disclosure of sensitive data to third parties. In the event of a data breach, files may be accessed and shared without authorization.

Because of the number of complaints lodged by the public about the way in which their personal data was handled, a preliminary documentary evaluation of the 40 digital lenders is scheduled to begin shortly.

The ODPC reports receiving 1,030 complaints by September 30, 2022, and admitting to 555 of them; of them, 54% involve digital credit companies.

In addition to Apesa, AsapKash, Cash, Cash Sea, CollectPlus, Coopesa, Credit Kes, Credit Moja, Deltech Capital Limited, and Direct Cash, the following DCPs are being investigated for their possible role in the data breaches: Zenka Digital, Zuri Cash, Premier Credit, Credit Moja, and Hela Credit.

In addition to the aforementioned options, I found the following: FairKash, FlashPesa, Flexi Cash, Hela Credit, Hikash, iKash, Connect, InstarCash, iPesa, Kash Loan, KashBean, KashPlus, Kashway, KesLoan, Lemon Kash, LionCash, and M-Credit.

To round off the list, we have Premier Credit Ltd, Rocket Pesa, Senti, SkyPesa, Zash Loan, Zenka Digital Limited, Zuri Cash, PapCash, Pocket Cash, MetaLoan, and MoKash.

If the DCPs do not provide the requested paperwork to the Data Commissioner’s Office by October 18, 2022, they will be seen as uncooperative.

Aga Khan University Hospital was also served with an enforcement notice by the ODCP for alleged violations of Kenya’s Data Protection Laws.

A patient “made a complaint with the Data Commissioner that a member of staff improperly contacted the complainant after the complainant had visited the Hospital, in violation of Sections 25, 41, and 46 of the Data Protection Act, 2019,” ODPC said.

The Data Commissioner “in the execution of the powers of the ODPC” ordered the hospital to “outline specific measures it will take to reduce or eliminate the breach/contravention and to rectify and/or put in place structures within which the measures shall be executed within 30 days.”

Even though credit providers are regulated by the Central Bank of Kenya (CBK), which has established strict restrictions against personal data breaches, the CBK has decided to audit the DCPs anyhow.

The CBK announced on September 19 that it had issued licenses to 10 DCPs and was continuing to assess 278 applications.