Data breaches and cyber vulnerabilities - SA's troubling lack of readiness revealed

3 Jun 2025

South Africa is becoming globally notorious in a field that should really be avoided: cybersecurity failure. A recent report from Virtual Private Network provider Surfshark shows that South Africa ranks second on the continent for data breaches.

Simultaneously, Cisco’s 2025 Cybersecurity Readiness Index reveals a dangerous disconnect — while 85% of local companies believe they're prepared, just 7% meet the “mature” threshold for actual cyber resilience. Daily Maverick’s examination of leaked data on the dark web confirms a troubling truth: South African data is leaking at an industrial scale, driven by poor cyber hygiene and a digital environment outpacing its own defences.

Less than zero: South Africa’s scorecard

South African Airways (SAA), the South African National Defence Force (SANDF), Experian, and Home Affairs — and as of last week, Mediclinic — the list goes on. South Africa has emerged as one of the primary countries targeted by hackers for data leaks and ransomware.

Read more: SNATCHed – SANDF data leaked in cyberattack appears to be authentic, say cybersecurity analysts

The Surfshark 2025 breach ranking places South Africa second in Africa and 37th globally, but more concerning is our upwards trajectory. Surfshark data shows a 164% increase in breach volume from the third quarter to the fourth quarter of last year, based on tracked accounts exposed in known breached databases. Meanwhile, Cisco’s 2025 Cybersecurity Readiness Index found that while 85% of South African firms claim confidence, most fall into “formative” or “beginner” categories, indicating an alarming gap between perception and preparedness.

Of far more import is the risk to the state and public sector. The SANDF breach of August 2023 revealed critical gaps in public sector cybersecurity. Operational schedules, internal communications, and staff details were dumped on public forums. Should a similar breach hit Eskom or Rand Water, the fallout could escalate from data loss to national service failure, severely undermining South Africa’s essential infrastructure.

Smashthestate: infrastructure in the crosshairs

The SANDF breach wasn’t a one-off. Staff rosters, operational files, and internal communications were leaked with minimal resistance, revealing deep structural vulnerabilities — at the time that Daily Maverick viewed the page, the data had been downloaded 154 times. South African Airways (SAA) similarly saw both employee and passenger data compromised. Even the Department of Home Affairs — custodian of the national population register and biometric databases — has suffered multiple exposures.

In one case, a misconfigured public server linked to a third-party contractor’s testing environment left biometric fingerprint templates, ID numbers, and passport scans openly accessible online for more than two months before being taken down.

“The system wasn’t even behind a login — it was indexed by search engines,” confirmed Hendrik de Bruin, the head of SADC Security Consulting at Check Point in an interview with Daily Maverick. “Anyone with a browser could access high-value identity data in raw form.”

This not only violates basic data protection principles, but poses significant surveillance and identity theft risks, particularly given South Africa’s widespread use of biometrics for banking and social grants.

“There is no proper segmentation between operational tech and IT in many departments. That’s how you go from data loss to infrastructure failure,” continued de Bruin. “Public entities often rely on legacy systems patched together over decades, making them a soft target.”

Telecom metadata leaks suggest even critical communications infrastructure is poorly protected — laying the groundwork for both surveillance and sabotage. The long-term concern, experts note, is not just data privacy, but systemic risk to national functioning.

Read more: Tech giants step up innovations to address cybersecurity breaches

An absent red team: the hollowing out of SA’s skills

One of the most consistent failures is pre-emptive testing, with few state procurement contracts mandating red teaming or penetration testing. Instead, a culture of checkbox compliance dominates government IT planning, where simply having antivirus software counts as security preparedness.

“Breaches go undetected because no one’s even looking for them,” said De Bruin. “We have government departments that can’t afford even basic endpoint protection. Of course attackers will sit in those systems for weeks.”

Cisco’s 2025 Index reinforces this point.

“Many organisations don’t even know what their perimeter looks like any more,” said Nabeel Rajab, a cybersecurity specialist at Cisco, presenting the index on Wednesday, 28 May 2025. “Cybersecurity is no longer just about a firewall — the attack surface has become broader and more dynamic.”

The report found that 43% of South African organisations had experienced an AI-driven cyber incident in the past year, yet the majority remain reactive rather than proactive.

“More than half of organisations surveyed still operate in a mode of responding to attacks, rather than preventing them,” Rajab said.

Further, South African security leadership often lacked proper executive buy-in. “There’s a disconnect between chief information security officers and C-suite executives. Security leaders are not always at the decision-making table,” said Rajab.

“Most firms don’t run regular perimeter reviews. They outsource security and forget about it,” De Bruin added. “And with AI-driven phishing kits now available for $10 (R179) on Telegram, attackers don’t need to be sophisticated.”

Moreover, there are opportunities for attackers to use third parties to gain access to sensitive data, as was the case with the recent Mediclinic leak. The breach occurred earlier this year, and according to a statement by the medical group occurred through a third-party IT provider, probably providing payroll services, given that the stolen data primarily consisted of payroll information.

A Mediclinic media statement said: “We are confident that no patient data has been affected,” and confirmed that their systems had since been further secured.

Nation states and proxies — the advanced persistent threat in the room

Advanced persistent threats (APTs) refer to highly sophisticated and sustained cyberattack campaigns, often orchestrated by nation-states or state-sponsored groups. Unlike ordinary cybercriminals who typically seek quick financial gain, APTs focus on long-term infiltration, data theft, surveillance, and even sabotage.

These actors use tailored malware, social engineering, and zero-day vulnerabilities to silently breach networks, maintain access over extended periods, and exfiltrate sensitive data — often without detection.

APTs are typically aligned with strategic geopolitical objectives, such as espionage, infrastructure disruption, or influence operations. Their presence in South Africa suggests the country is being used as both a testbed and a foothold for broader regional campaigns.

Check Point’s 2025 threat map shows increased targeting of South African systems by advanced persistent threats (APTs) such as APT28 (Russia), Void Manticore (Iran), and Volt Typhoon (China).

“APT actors used to test in Eastern Europe. Now they test here,” said De Bruin. South Africa’s non-aligned foreign policy stance, paired with poor cyber defences, makes it an ideal “silent battleground.”

He added: “APT actors value South Africa because they can trial infrastructure payloads in the wild without triggering Nato’s red lines.”

Cisco analysts also flagged this shift, noting that while countries like the US, Japan, and Germany have built mature cyber defences, countries like South Africa are increasingly being exploited as soft entry points for threat actors looking to test malware, exploit vulnerabilities, and gather reconnaissance.

“We’re building a smart state on insecure foundations. Without urgent reform, a breach will one day lead to a blackout — or worse,” Rajab warned.

What this means for you

This isn’t just about your ID number being on Telegram. The bigger risk is systemic failure. The disruption of power grids, water systems, or air traffic control through ransomware or unauthorised access is no longer theoretical. It has happened elsewhere — in Ukraine, Iran, and the US. South Africa may be next.

Two laws govern cybercrime in South Africa: the Protection of Personal Information Act (Popia, 2013) and the Cybercrimes Act (2020). While Popia mandates breach notification, it lacks enforcement teeth. The Cybercrimes Act criminalises data interference — but with no national breach registry, no proactive SOC (Security Operations Centre) infrastructure, and limited prosecutorial momentum, its impact remains muted.

The Information Regulator, tasked with enforcing Popia, has issued only a handful of sanctions. There is no obligation for public disclosure of breaches beyond notifying affected individuals, meaning systemic risks are often hidden until too late.

“The biggest threat in South Africa is normalisation,” said De Bruin. “Once leaks become routine, so does failure.”

The price of doing nothing: national security

The cost of inaction is no longer reputational — it’s operational and, in time, existential. Until cybersecurity is treated not as compliance window-dressing but as a survival imperative, the gap between attack and defence will only widen — with catastrophic potential.

South Africa’s cybersecurity response needs urgent reform: stronger legislation, competent enforcement, national breach transparency, and dedicated funding.

As Rajab concluded in his briefing: “Resilience isn’t built on confidence — it’s built on readiness. And right now, South Africa is confident, but not ready.” DM

Categories:

Tags:

DM is much better if you are signed in...

Business Maverick