The Office of the Data Protection Commissioner has instructed taxi service provider Bolt to pay Ksh 500,000 to a driver whose account was compromised, allowing unauthorized individuals to use it for seventeen fraudulent trips totalling over Ksh 26,000.
In a ruling by Data Commissioner Immaculate Kassait, Bolt Operations and Bolt Support Kenya Ltd were found guilty of breaching the driver’s data rights and failing to protect his personal information. The company was ordered to compensate Kennedy Mbugua, a driver who reported the incident, for the violations.
According to the Data Commissioner, Bolt violated Mbugua’s rights under several provisions of the Data Protection Act, including his right to access personal data, the correction of false information, and the failure to implement adequate safeguards against unauthorized access.
“Bolt Operations OU and Bolt Support Kenya Limited is hereby found liable for violating Mbugua’s right to access his personal data under Section 26(b) of the Act, correction of false or misleading data under Section 26(d) of the Act and failure to fulfill its obligations under the Act,” the ruling stated.
The Data Commissioner highlighted that, although Bolt did not find evidence of a breach within its systems, the company failed to take proper action to prevent unauthorized access to Mbugua’s account, violating Section 41 of the Act, which mandates data controllers to implement appropriate technical and organizational safeguards.
Mbugua’s ordeal began on May 15, 2023, when a woman contacted him claiming that his account was being used by another driver. Concerned, Mbugua attempted to regain control by submitting selfies with his ID and a newspaper as proof of identity. However, when he tried to log in the following day, he found his credentials were no longer recognized. Upon further investigation, Mbugua discovered that fraudulent rides had been taken on his account, accumulating significant charges.
Despite numerous attempts to contact Bolt for assistance, Mbugua received no response, and further inquiries confirmed that his account had been compromised. He reported the incident to Bolt and the police, but no resolution was forthcoming.
The ruling reminds companies to strengthen their data protection measures and ensure that personal information is safeguarded against unauthorized access and misuse.
