Learn about the biggest data breaches in South Africa, why South Africa is an attractive target for cyber attacks and how these could have been prevented.
Alex
Created: August 1, 2025
Updated: August 1, 2025
Our mission is to make the Internet a safer place, and the new login standard passkeys provides a superior solution to achieve that. That's why we want to help you understand passkeys and its characteristics better.
South African organizations are facing a fast-growing data breach epidemic. In just the first quarter of 2024 alone, more than 34.5 million local accounts were compromised, making South Africa the second-most affected country in Africa for cyber incidents. Over the past two years, the number of data breach reports has tripled, with over 1,700 incidents reported in 2023 compared to around 500 in 2022.
The country’s Information Regulator is now receiving more than 150 breach notifications every month, which is a dramatic rise from just 56 per month a year earlier. Behind these incidents lies a troubling pattern: 95% of breaches are caused by human error, often through phishing, social engineering, weak or reused passwords, and other avoidable mistakes.
Financially, the damage is very big. In 2024, the average cost of a single breach hit R53 million, with the most severe incidents costing up to R360 million. Nationally, the Council for Scientific and Industrial Research estimates the annual cost of data breaches at R2.2 billion.
Despite these escalating risks, many organizations remain underprepared. Only 29% plan to increase their cybersecurity budgets significantly for 2025, leaving large gaps in protection.
In this blog, we’ll take a closer look at the 10 biggest and most damaging data breaches in South Africa, what made them possible, and what patterns can help prevent the next wave of incidents.
South Africa’s growing role as a digital and economic leader on the continent also makes it a high-priority target for cyberattacks. Several national characteristics contribute to the rising number of data breaches and the severity of their consequences. Below are the four key factors driving this trend:
South Africa’s advanced digital infrastructure make it a prime target for both financially motivated cybercriminals and state-sponsored attackers. From financial services and telecom to e-commerce and government, many sectors in South Africa rely heavily on digital platforms, broadening the attack surface for threat actors seeking disruption, espionage, or financial gain.
Organizations in both the public and private sectors collect and process extensive personal data, often beyond what is strictly necessary. This over-collection, combined with widespread third-party data sharing and complex opt-out mechanisms, increases the risk of exposure. A single user action, can result in their data being shared across multiple systems, creating multiple potential points of compromise.
Human error remains the dominant factor in South African data breaches, with up to 95% of incidents linked to avoidable mistakes. These include accidental data leaks, weak passwords, and successful phishing attempts. Many companies still lack adequate cybersecurity training, incident response protocols, and basic awareness among staff and executives, leaving them vulnerable to even low-effort attacks.
While South Africa has implemented key data protection laws like POPIA and the Cybercrimes Act, enforcement remains inconsistent. Limited resources, fragmented responsibilities, and slow institutional responses have created gaps in accountability.
In this chapter, we take a closer look at the most significant data breaches in South Africa to date. Each of these incidents exposed large volumes of sensitive data, caused lasting reputational or financial damage, and revealed critical security weaknesses that other organizations can learn from. The breaches are presented in descending order based on impact, with key facts, a summary of what happened, and actionable insights on how each incident could have been prevented.
Details | Information |
---|---|
Date | October 2017 (disclosed October 2017) |
Impacted Individuals | Over 60 million |
Breached Data | - Full names |
- South African ID numbers | |
- Property ownership and mortgage data | |
- Income and employment details | |
- Physical addresses | |
Method of Attack | Misconfigured public-facing web server |
Sector | Real Estate / Property Services |
In October 2017, a cybersecurity researcher discovered a massive amount of personal records on an unprotected web server belonging to a South African real estate data firm, later linked to Jigsaw Holdings, the parent company of Master Deeds. The breach is widely considered the largest in South African history, with over 60 million personal records exposed (including data on deceased individuals, minors, and high-profile public figures).
The exposed database included detailed information such as ID numbers, employment history, income estimates, home ownership details, and property valuations. Alarmingly, the server had no password protection and was accessible to anyone with the direct URL. The data was stored in plain text and indexed by search engines, meaning it may have been publicly accessible for months before being discovered.
Although the breach was quickly taken offline once reported, the damage had already been done. Security experts raised concerns that the dataset could be used for identity theft, financial fraud, and targeted phishing scams for years to come. The incident sparked public outrage and placed pressure on government authorities to accelerate the implementation of South Africa’s data protection law, POPIA, which had not yet been enforced at the time.
Prevention methods:
Enforce strict access controls and password protection on all externally facing servers.
Regularly audit infrastructure for misconfigurations and public exposure risks.
Encrypt sensitive data at rest to reduce impact even if a breach occurs.
Details | Information |
---|---|
Date | August 2020 (disclosed August 2020) |
Impacted Individuals | ~24 million South Africans; 793,749 businesses |
Breached Data | - Names |
- Identity numbers | |
- Phone numbers and email addresses | |
- Business registration details | |
Method of Attack | Social engineering / Impersonation |
Sector | Credit Bureau / Financial Services |
In August 2020, global credit bureau Experian disclosed a significant data breach that exposed the personal and business information of approximately 24 million South African individuals and nearly 800,000 local businesses. The attacker posed as a legitimate client and was able to trick Experian into handing over bulk consumer and commercial data.
The leaked information included names, identity numbers, and contact details, although Experian claimed that no financial or credit-related data was compromised. Nonetheless, the exposed data held high value for fraudsters, as it could be used in phishing, identity theft, and business impersonation schemes.
The attacker was later identified and the data was reportedly secured before it was widely distributed, but the incident still raised concerns about how easily sensitive data could be extracted through non-technical means. The breach prompted greater scrutiny of client verification processes in the financial sector and calls for tighter controls around access to bulk consumer datasets.
Prevention methods:
Implement strict identity verification procedures before releasing sensitive data to clients.
Provide regular employee training on recognizing and responding to social engineering attempts.
Limit the volume of data that can be shared or exported in a single transaction.
Details | Information |
---|---|
Date | February 2024 (disclosed March 2024) |
Impacted Individuals | 7.7 million customers |
Breached Data | - Full names |
- South African ID numbers | |
- Banking and financial details | |
- Contact information | |
- SIM card and network metadata | |
Data Volume | ~2 terabytes |
Method of Attack | Unauthorized external access / network intrusion |
Sector | Telecommunications |
In early 2024, South African mobile network operator Cell C suffered a data breach in which hackers exfiltrated roughly 2 terabytes of sensitive data tied to its customer base of 7.7 million users. The stolen data included a dangerous mix of personal, contact, and financial information such as ID numbers, banking details, and SIM metadata.
After gaining unauthorized access to internal systems, the attackers leaked portions of the data online, drawing swift public and regulatory attention. The full breach was disclosed a few weeks later, and investigations revealed that the attack likely exploited vulnerabilities in Cell C’s internal network security and insufficient segmentation of sensitive data.
The breach posed severe risks for identity theft, SIM swapping, and banking fraud, especially given the volume and sensitivity of the leaked information. Cell C faced backlash over delayed public disclosure, prompting renewed debates about breach notification laws and cybersecurity accountability in the telecom sector.
Prevention methods:
Segment internal systems and restrict access to sensitive financial and identity data.
Deploy intrusion detection and data exfiltration monitoring tools across core infrastructure.
Encrypt all high-risk customer data at rest and in transit to minimize exposure in case of breach.
Details | Information |
---|---|
Date | May 2022 (disclosed May 2022) |
Impacted Individuals | 3.6 million customers |
Breached Data | - Full names |
- Email addresses | |
- Phone numbers | |
Method of Attack | Unauthorized access via third-party service provider |
Sector | Retail / Healthcare / Pharmacy |
In May 2022, Dis-Chem, South Africa’s second-largest pharmacy chain, disclosed a data breach that affected 3.6 million customers. The breach occurred through a third-party service provider responsible for handling customer communications on behalf of Dis-Chem.
An unauthorized party gained access to a database containing customer names, email addresses, and phone numbers. While no medical records or financial data were reportedly involved, the nature of the compromised information still left customers vulnerable to phishing, scams, and identity theft.
The incident highlighted the risks of relying on external vendors without strong oversight, as well as the importance of securing all customer data. Dis-Chem reported the incident to the Information Regulator and initiated internal and external investigations to assess the full scope of the breach.
Prevention methods:
Conduct regular security assessments of third-party vendors with access to customer data.
Enforce contractual data protection requirements and vendor compliance monitoring.
Apply encryption and access controls even for seemingly low-risk data fields.
Details | Information |
---|---|
Date | September 2018 (disclosed October 2018) |
Impacted Individuals | ~934,000 drivers |
Breached Data | - Full names |
- Email addresses | |
- Phone numbers | |
- Encrypted passwords | |
Method of Attack | Unsecured backup server (misconfiguration) |
Sector | Transportation / Government Services |
In late 2018, researchers discovered that ViewFines, a platform used by South African drivers to track traffic fines online, had left an unsecured backup server publicly accessible, exposing nearly one million user records. The server contained sensitive information such as names, contact details, and hashed passwords.
The exposed database had no authentication or encryption, allowing anyone with the server’s IP address to download the information. While passwords were encrypted, security experts warned they could still be cracked using common techniques, particularly if weak password choices were used.
The breach raised concerns about the security of public-sector-adjacent services handling citizen data, especially given the increasing reliance on digital portals for government-related tasks. The company later secured the server and pledged to improve its data protection practices.
Prevention methods:
Secure backup servers with strong authentication and restrict public internet access.
Regularly audit and monitor cloud and on-premise infrastructure for exposure risks.
Enforce strong password hashing standards (e.g. bcrypt) and encourage secure user credentials.
Details | Information |
---|---|
Date | September 2021 (disclosed September 2021) |
Impacted Records | 1,200+ confidential files (estimated) |
Breached Data | - Personal identification details |
- Financial and banking information | |
- Legal and case-related records | |
Method of Attack | Ransomware attack |
Sector | Government / Legal Services |
In September 2021, South Africa’s Department of Justice and Constitutional Development suffered a ransomware attack that severely disrupted key government operations. The attack encrypted internal systems, crippling services like email, court filing systems, and payment processing for several weeks.
While the full scope of data exposure was never officially confirmed, investigators noted that more than 1,200 confidential files may have been accessed, many containing sensitive personal and financial data, as well as information related to ongoing legal proceedings.
The incident highlighted vulnerabilities in critical government infrastructure, including insufficient endpoint protection and the lack of offline system redundancy. Court proceedings and social grant payments were delayed as a result, sparking national concern over the resilience of South Africa’s digital public services.
Prevention methods:
Implement secure, offline backups and disaster recovery systems for critical infrastructure.
Deploy enterprise-grade endpoint protection and anti-ransomware software across all devices.
Conduct regular penetration testing and system hardening in high-risk public sector environments.
Details | Information |
---|---|
Date | January 2017 (disclosed March 2017) |
Impacted Individuals | Up to 7 million customers |
Breached Data | - Full names |
- Email addresses | |
- Plain-text passwords | |
- Usernames and login credentials | |
Method of Attack | Insecure web application / exposed API |
Sector | Entertainment / Cinema / Retail |
In early 2017, a serious vulnerability in Ster-Kinekor’s online platform exposed the personal data of up to 7 million customers, including plain-text passwords. The flaw was discovered in an insecure API endpoint that allowed unauthenticated access to user records from the cinema chain’s booking system.
Security researchers reported that the database contained not just email addresses and usernames but also passwords stored in unencrypted, plain-text format. While Ster-Kinekor acted quickly to shut down the vulnerable system, the incident underscored how basic security practices were overlooked, especially around password handling and API protection.
This breach became one of the earliest wake-up calls in South Africa for enforcing better data handling in consumer-facing applications, particularly in the retail and entertainment sectors.
Prevention methods:
Store all passwords using strong hashing algorithms like bcrypt or Argon2.
Regularly test APIs and web applications for authentication and authorization flaws.
Implement strict input validation, rate limiting, and access controls for all user-facing endpoints.
Details | Information |
---|---|
Date | January 2020 (disclosed February 2020) |
Impacted Data Volume | Unknown (potential exposure) |
Breached Data | - Employee records |
- Customer account details | |
- Internal documents and operational data | |
Method of Attack | Malware infection / suspected internal leak |
Sector | Energy / Utilities |
In early 2020, Eskom, South Africa’s national electricity provider, confirmed a malware infection on its IT systems, which disrupted operations and raised fears of a significant data leak. While Eskom initially reported the incident as contained, cybersecurity researchers later identified publicly accessible folders online allegedly linked to Eskom, containing sensitive internal documents, employee records, and customer information.
The breach drew public attention due to Eskom’s role as a critical infrastructure operator, with concerns over the stability of national energy supply and the potential misuse of leaked data. The company did not confirm the full scope of the exposure, but the combination of malware and poor internal data handling practices suggested weaknesses in endpoint protection and access governance.
The incident emphasized the growing risk of cyberattacks targeting utilities, especially when legacy systems and underfunded cybersecurity programs are in place.
Prevention methods:
Implement robust endpoint detection and response (EDR) tools across all corporate systems.
Limit internal data exposure through role-based access controls and regular permission audits.
Secure and monitor file-sharing services to prevent unauthorized external publication of data.
Details | Information |
---|---|
Date | October 2016 (disclosed November 2016) |
Impacted Individuals | ~100,000 municipal account holders |
Breached Data | - South African ID numbers |
- Physical addresses | |
- Full names | |
- Phone numbers and email addresses | |
Method of Attack | Website vulnerability / insecure direct object references |
Sector | Government / Municipal Services |
In late 2016, a security flaw in the eThekwini Municipality’s online billing system exposed the personal details of nearly 100,000 account holders. The vulnerability, discovered by a local researcher, allowed anyone to manipulate a URL and access other users’ municipal billing data without authentication.
Leaked information included names, ID numbers, physical addresses, and contact details, raising concerns about privacy, especially given that the platform was publicly accessible for months before the issue was addressed. The breach was considered particularly serious because it affected government-issued records and demonstrated a lack of basic security hygiene in a civic-facing system.
The municipality took the affected system offline and later implemented fixes, but the case highlighted the risks of weak access controls and insufficient vulnerability testing in government digital platforms.
Prevention methods:
Conduct regular vulnerability scanning and penetration testing of all public-facing applications.
Implement secure coding practices and enforce authentication on sensitive endpoints.
Use input validation and access control mechanisms to prevent direct object reference attacks.
Details | Information |
---|---|
Date | April 2025 (disclosed April 2025) |
Impacted Individuals | Undisclosed (included high-net-worth individuals) |
Breached Data | - Full names |
- Contact details | |
- Property ownership and valuation data | |
- Business affiliations and client records | |
Method of Attack | Unauthorized access to customer database |
Sector | Real Estate / High-end Property Services |
In April 2025, Pam Golding Properties, one of South Africa’s leading high-end real estate firms, suffered a data breach involving unauthorized access to its client database. Although the exact number of affected individuals was not made public, the breach drew national attention due to the sensitive nature of the clientele, which includes prominent business leaders, political figures, and international investors.
The compromised data included contact details, personal identifiers, property transaction histories, and potentially confidential business information linked to clients’ real estate portfolios. The breach raised serious concerns around targeted fraud, real estate scams, and reputational risk, especially in a sector that handles high-value transactions and private wealth data.
Pam Golding confirmed the breach and stated it had launched an investigation, informed regulators, and begun notifying impacted clients. However, the incident highlighted how real estate platforms (especially those dealing with affluent customers) can become lucrative cybercrime targets when proper access controls and database protections are lacking.
Prevention methods:
Encrypt all client data, especially property and financial records, both at rest and in transit.
Enforce multi-factor authentication for all staff accessing sensitive databases.
Conduct regular access audits and anomaly detection to identify unauthorized data access early.
A review of South Africa’s largest data breaches reveals clear patterns in how and why these incidents occur. While each case has its own technical specifics, many share similar root causes, pointing to broader structural issues across sectors. Below are three recurring themes that organizations should be especially aware of:
A common denominator across many breaches is the absence of basic security hygiene in foundational IT systems. Misconfigured servers, exposed APIs, and outdated authentication mechanisms often create open doors for attackers. In many cases, sensitive data was stored without encryption or protected by default credentials, making exploitation trivial once discovered. These weaknesses suggest that many organizations still treat security as a bolt-on rather than a core design principle.
South African organizations often collect and retain far more personal information than necessary (frequently storing names, ID numbers, contact details, and financial records in central systems). This overcollection, combined with bad data minimization policies, increases the attack surface significantly. Even when only partial records are compromised, the exposed data is often enough to enable fraud or impersonation. Without stricter limits on what data is collected and for how long it is retained, exposure risks will remain high.
Many incidents show that cybersecurity in South Africa is still largely reactive. Organizations often lack formal incident response plans, real-time monitoring, and regular security testing. Breaches are frequently discovered by external parties, such as security researchers or journalists, rather than internal systems. This reactive posture delays containment and increases damage. Building a mature security culture requires not only technical controls, but also executive awareness, continuous risk assessment, and regular training across all departments.
Data breaches in South Africa have grown not only in number, but in severity, sophistication, and financial impact. From real estate and telecommunications to government and retail, no sector is immune. The breaches reviewed in this article show that many of these incidents could have been avoided with better digital hygiene, stricter data practices, and a more proactive security mindset.
As cyber threats continue to evolve, South African organizations must recognize that compliance alone is not enough. Real resilience comes from treating security as a continuous process, one that is embedded into systems, people, and policies from the ground up.
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
Related Articles
Table of Contents