South Africa is in the middle of one of its most serious cybersecurity episodes in recent memory. In the space of weeks, a government statistics agency, one of the country’s largest banks, and its insurance subsidiary have all suffered major breaches, with stolen data now surfacing on dark web forums and ransomware leak sites.
The Standard Bank and Liberty Breach
The most consequential incident involves Standard Bank, Africa’s largest lender by assets. The breach began in late February 2026, went undetected for over three weeks, and allowed the attacker to move laterally through internal administrative and document filing systems, including Microsoft SharePoint, OneDrive, Power Apps, Jira, Confluence, and Oracle SQL databases.
The haul allegedly includes more than 154 million rows of exported SQL data, covering customer PII such as full names, addresses, emails, phone numbers, South African ID numbers, driver’s licence numbers, passport numbers, credit card numbers, and account numbers, as well as detailed employee data and bulk corporate transactional data.
Standard Bank first disclosed the breach on March 23. When the bank refused to pay a one Bitcoin ransom fee, Rootboy began releasing the data in daily batches on a ransomware leak portal starting April 14, with publications continuing in a planned sequence. The leaked information includes client names, ID numbers, contact details, account numbers, and some credit card details. CVV numbers were not compromised.
On March 24, Standard Bank’s subsidiary Liberty disclosed a separate breach, with perpetrators threatening to release emails and attachments on the dark web. Liberty CEO Yuresh Maharaj confirmed that customer policies and investments were not compromised and all services remained operational.
Stats SA Also Hit
Statistics South Africa confirmed it was the target of a ransomware attack on March 29, 2026, attributed to a group identified as XP95. The attackers infiltrated the agency’s HR database used by job seekers to apply for positions online, claiming to have exfiltrated 154GB of data covering more than 453,000 individual files, and issued a ransom demand of $100,000. Stats SA refused to pay and reported the matter to the Information Regulator.
The same group previously claimed responsibility for breaching the Gauteng Provincial Government, allegedly accessing 3.8 terabytes of data.
A Systemic Problem
Industry data indicate that South African organisations face an average of more than 2,000 cyberattacks per week, with the financial services sector among the most targeted industries on the continent, alongside the government and consumer goods sectors.
Last year, mobile operators Cell C and MTN were both impacted by cybersecurity incidents that exposed some customer data to bad actors, a reminder that the current wave is not an anomaly but an acceleration of a longer trend.
The Information Regulator has requested more information from both Standard Bank and Liberty before it can conduct a thorough investigation. What it finds will say a great deal about whether South Africa’s data protection framework has the teeth to match the scale of the problem.
