Connected & Concerned Cybersecurity & Data Protection in Kenya Report

Kenya’s digital population is highly active online, broadly aware of the country’s data protection framework, and deeply worried about cybercrime. Yet awareness has not fully translated into protective behaviour, and financial losses from cyber incidents are widespread.

GeoPoll conducted this survey across Kenya in April 2026 to understand how ordinary people experience the digital security landscape, from awareness of legal protections to the security incidents they’ve personally encountered. Most respondents use the internet multiple times a day, primarily through smartphones. Social media is near-universal. Mobile money platforms like M-Pesa sit at the heart of daily financial life, and, as the data shows, at the heart of fraud exposure too.

• 73% are aware of Kenya’s Data Protection Act (2019), Nearly three in four Kenyans have heard of the Data Protection Act, 2019, a strong result for a law enacted just over five years ago. Awareness is highest among urban,
• 37% Lost money due to a cyber-related incident. More than one in three respondents suffered direct financial loss from a cyber incident over the past year. Mobile money fraud and phishing are the primary vectors. Male respondents are more likely to report losses (40%) than women (34%)
• 90% Interested in learning more about cybersecurity. Nine in ten respondents want to learn more about cybersecurity, a level of demand that is genuinely exceptional and represents a clear mandate for public and private sector education initiatives.
• 69% Very concerned about cybercrime in Kenya. Cybercrime concern is near-universal, with 69% ‘very concerned’ and a further 16% ‘somewhat concerned’ meaning 85% of all respondents express significant worry about the threat.

75% of respondents are uncomfortable sharing personal information online, yet over half regularly share their phone number and email address on digital platforms.

Kenya is online, and it’s mobile-first

Nearly nine in ten respondents access the internet several times a day. The smartphone dominates, and social media is the near-universal digital entry point.

Social media dominates at 88%, consistent with Kenya’s position as one of Africa’s most active social media markets. Email (42%) and online banking (32%) follow, with e-commerce at just 2%, a signal that mobile money platforms have effectively absorbed the transactional role that online retail occupies elsewhere. The smartphone is the gateway to all of this: 79% of respondents cite it as their primary internet device. This is not a new trend but an accelerating one, Kenya’s mobile-first internet economy has been built on the back of sub-$100 Android handsets and competitive mobile data pricing from operators like Safaricom, Airtel, and Telkom.

Internet access is intensive rather than occasional. 87% of respondents connect several times daily, which means Kenyan users are continuously exposed to the digital environment,  and to its risks. Understanding cybersecurity for Kenyan users is not about protecting a device that gets used once a week. It is about securing the tool that manages money, communication, business, and social life around the clock.

High DPA awareness, but understanding lags behind

The Data Protection Act, 2019 came into force on 25 November 2019, making Kenya one of the first countries in East Africa to adopt comprehensive data protection legislation modelled on the EU’s GDPR. Enforced by the Office of the Data Protection Commissioner (ODPC), the Act gives every Kenyan the right to know what personal data is held about them, how it is used, and the right to have it corrected or deleted. In 2025 alone, Kenyan organisations paid over KES 30 million in compensation to individuals for privacy violations, signalling that enforcement is intensifying.

 

73% of respondents have heard of Kenya’s Data Protection Act (2019). However, self-reported understanding of how companies use personal data tells a more nuanced story.

That 73% of our respondents have heard of the Act is an encouraging headline. But awareness is not the same as understanding — only 36% say they understand ‘very well’ how companies use their personal data, and 28% say they do not understand it very well at all. This gap between knowing a law exists and understanding its practical implications for one’s own digital behaviour is precisely the space where exploitation happens.

Social media is overwhelmingly the leading source of data protection education at 77%, nearly double news and traditional media (44%). Government campaigns reach only 14%, suggesting official public education efforts have significant room to grow. Among men, DPA awareness is slightly higher at 76% vs. 70% among women, pointing to a modest but meaningful gender gap in formal digital literacy exposure that targeted interventions could address.

Sharing Personal Data Online

Most Kenyans express discomfort sharing personal data online, yet the data they routinely share tells a different story.

There is a striking disconnect between expressed discomfort and actual behaviour in this data. Three quarters of respondents say they are not comfortable sharing personal information online, yet phone numbers (52%) and email addresses (51%) are shared routinely. Photos and videos are shared by 32%. This is not necessarily hypocrisy, it reflects the practical reality that many digital services in Kenya, from ride-hailing to food delivery to mobile banking, require personal data as a condition of use. The discomfort is real, but the trade-off feels unavoidable.

More sensitive categories, location data, national ID numbers, and financial details, are shared by just 13% and 1% respectively. This suggests respondents do draw a meaningful line around their most sensitive identifiers, even if contact details flow freely. The 13% who share location data regularly are particularly exposed, given how precisely location can be used to enable targeted crime.

The high rate of privacy policy reading (56% always read them) is a positive finding. However, research consistently shows a gap between claiming to read policies and actually reading them with comprehension. The true test of engagement with privacy notices is whether people change their behaviour based on what they read, which requires policies that are comprehensible in the first place.

Cybercrime is not a distant threat, it’s personal

The scale of mobile money fraud in Kenya is not just anecdotal, it is structural. Over 30 million Kenyans use M-Pesa regularly, and the platform processes more than $50 billion annually. This ubiquity creates a vast attack surface. According to Techweez, Mobile banking fraud cases surged 87% between 2023 and 2024, driven by SIM-swap schemes, credential theft, and social engineering attacks. Between July and September 2025 alone, Kenya recorded an estimated KES 29.9 billion (approximately US$230 million) lost to cybercrime.

Our survey found that 54% of respondents have experienced mobile money fraud, a figure that places this squarely in the category of endemic risk rather than edge case. A 2021 FinAccess survey similarly found that mobile money users who reported losing money had risen from 8.4% in 2019 to 47.4% by 2021, though that figure includes accidental transfers. What is consistent across data sources is that mobile money fraud in Kenya is pervasive, growing, and deeply tied to everyday financial life.

37% of our respondents have personally lost money to a cyber incident in the past 12 months. Male respondents are more likely to report financial loss (40% vs. 34% for women), which may reflect differences in mobile financial activity, or greater willingness among men to disclose losses. The majority of victims (74%) lost less than KSh 5,000, a meaningful but recoverable sum. However, 6% report losing more than KSh 50,000, representing a significant tail of severe financial harm.

Mobile money fraud demands Kenya-specific responses  54% of respondents report mobile money fraud experience. This is a threat category largely absent from global cybersecurity frameworks, driven by SIM-swap schemes and social engineering that exploit the very platforms underpinning Kenya’s financial inclusion story.

Trust in companies and confidence in Kenya’s data laws

Strong passwords are the most common protective measure at 78%, but the figure that stands out is two-factor authentication at 52%. This is substantially higher than global averages, and almost certainly reflects Kenyan users’ repeated exposure to 2FA through M-Pesa, mobile banking apps, and fintech services. Security habits that emerged out of financial necessity have become more generalised, a rare example of mobile money’s security architecture having positive spillover effects on user behaviour.

At the same time, emerging authentication trends suggest that even these strong habits may continue to evolve. As highlighted in this BBC article on passkeys and the future of authentication, there is a growing global shift away from traditional passwords toward passwordless systems such as passkeys, which are designed to be more secure and resistant to phishing. These technologies build on the same principles that made two-factor authentication successful, layered security and user verification,but aim to remove friction while improving protection. In markets like Kenya, where users are already accustomed to multi-step verification through mobile financial services, the transition to passwordless authentication may be smoother and faster than in regions where such behaviours are less entrenched.

On institutional trust, only 47% of respondents trust companies, either completely or somewhat, to protect their personal data. The largest single group (33%) is neutral, which likely reflects uncertainty rather than confidence. On law effectiveness, 59% view Kenya’s data protection laws as at least somewhat effective, and 36% are sceptical. Notably, a 2025 amendment bill proposed increasing the financial penalties under the DPA from ‘whichever is lower’ to ‘whichever is higher’ for large organisations, which would substantially increase regulatory exposure for non-compliant companies, and may begin to shift public trust if enforcement becomes more visible.

A population ready to learn

90% of respondents expressed interest in learning more about data protection and cybersecurity. This is an extraordinary level of expressed demand, and it translates directly into an opportunity. The question is not whether Kenyans want to be educated on this topic, but whether the education on offer meets them where they are, in the format they prefer, and at the level of practical actionability they need.

Social media leads as the preferred channel at 83%, which aligns with where people are already encountering information about data protection. Campaigns on WhatsApp, TikTok, Instagram, and X that use short-form video, relatable scenarios, and local language are likely to achieve the greatest penetration. TV and radio remain important at 57%, particularly in peri-urban and rural areas where data costs remain a barrier to heavy smartphone use. According to the Communications Authority of Kenya, internet penetration in rural areas still trails urban access significantly, making broadcast media a critical complementary channel.

School education (39%) and workplace training (23%) also feature prominently, suggesting appetite for more structured, credentialed forms of digital literacy education beyond the scroll-and-watch model of social media. This is particularly relevant for policymakers designing Kenya’s long-term digital skills agenda, cybersecurity education that begins in secondary school and is reinforced through employer-led programmes is likely to compound in impact over time in ways that social media campaigns cannot.

Social media is the logical starting point  83% prefer social media campaigns and 77% already learned about data protection through social platforms. Campaigns that meet Kenyans on WhatsApp, TikTok, and Instagram — in Swahili and English — will have the greatest reach.

Key Takeaways

• Cybercrime exposure is near-universal  61% have experienced phishing, 54% mobile money fraud, 31% account hacking. 75% know someone personally who has been a victim. This is not a marginal risk, it is mainstream.
• The awareness–behaviour gap is real  High DPA awareness and expressed caution about data sharing coexist with widespread sharing of contact details and significant password reuse. Education must move from awareness to actionable behaviour change.
• Mobile money fraud needs tailored policy responses  The scale of mobile money fraud marks Kenya as a distinct threat environment. Generic cybersecurity frameworks are insufficient. Industry-level responses from the Central Bank of Kenya, Safaricom, and telecom operators are needed.
• Demand for education is a genuine opportunity  90% want to learn more. Organisations and platforms that invest in accessible, practical cybersecurity content in local languages will be meeting a clearly stated public need.
• Institutional trust must be earned through enforcement  Only 47% trust companies with their data. As the ODPC steps up enforcement and the DPA amendment bill progresses, visible accountability actions will be essential to rebuild public confidence.

Methodology/About this Survey

This Exclusive Survey was powered by GeoPoll’s AI platform; Tuucho run via the GeoPoll mobile application and Mobile web in Kenya, the sample size was 1,813, composed of random users between 18 and 50. Since the survey was randomly distributed to an and the results are slightly skewed towards younger respondents, and urban residents (59% urban, 24% rural, 17% peri-urban) and gender: 50% female, 50% male. All questions were self-administered via mobile survey in English. Response rates and regional weights are available on request.

The study set out to understand how everyday Kenyan internet users perceive and experience the digital security landscape — covering awareness of Kenya’s Data Protection Act, attitudes toward personal data sharing, the prevalence and financial impact of cyber incidents, trust in companies and government to safeguard data, and appetite for further education on cybersecurity. With Kenya’s mobile-first digital economy making platforms like M-Pesa central to daily financial life, the survey was designed to capture not just general cybersecurity sentiment but the specific threats and behaviours shaping the experience of a population navigating one of Africa’s most dynamic, and most exposed digital environments.

Please get in touch with us to get more details about our capabilities, explore more on various topics in Africa, Asia, and Latin America.