A recent analysis report by Surfshark found that, among global data breaches, South Africa ranks 42nd in Q1 2026. Globally, 210.3 million accounts were breached, with the US ranking first at 29% of all breaches from January through March. France takes second place, followed by India, Brazil, and the UK.[1] Surfshark is a consumer-focused cybersecurity and privacy product suite.
Since 2004, South Africa has been the second-most breached country in Africa, with 45.7 million compromised user accounts. A total of 13.3 million e-mails were breached in South Africa, while 22.9 million passwords were leaked, putting 50% of breached users in danger of account takeover that might lead to identity theft, extortion or other cybercrimes.
Cyber security professionals can join hundreds of industry peers at the ITWeb Security Summit Cape Town 2026 and the ITWeb Security Summit 2026 in Johannesburg, where expert speakers will explore how organizations can remain resilient in the face of AI-driven attacks and an increasingly complex threat landscape.
Statistically, 70 out of 100 South Africans have been affected by data breaches. Based on Surfshark’s full historical dataset, South Africa ranks 38th globally, with a total of 45.7 million leaked accounts over the past 20 years. Since 2004, the password (22.9 million) and username (12 million) have been the most compromised South African data points in breaches.
The scope of exposed information often extends to highly sensitive personal data, such as identity numbers; financial data, such as payment card numbers; and contact information, such as phone numbers and addresses. In its research, a breached account is counted as a single online account with an e-mail address that has been exposed on publicly available databases, potentially along with additional personal information, such as names, surnames, passwords, security numbers, location data, or other details.
AI threat - The increased use of artificial intelligence (AI) adds an additional layer of cyber vulnerability, citing OACD data that in 2025, 20.2% of companies reported using AI, up from 8.7% in 2023, meaning adoption has more than doubled over the past two years.
As companies rapidly adopt AI, they increase the amount of user data stored, expand the number of digital systems they use, and integrate more platforms to manage larger volumes of user data. These AI-driven systems also collect and log more detailed user information for automation, analytics, and model improvement. While this improves the company’s efficiency, it also means there are many more systems for businesses to secure, more opportunities for error, and more points where sensitive information, such as user credentials and personal data, can be exposed. As a result, hackers now have a larger and more complex environment to exploit and execute attacks, including data breaches,” explains the report.
Perpetual risk - With data breaches becoming a daily risk for companies, the underlying concern is that businesses force users to create accounts and provide personal information to complete an online purchase when there is no clear need for it. “For people, a data leak means their personal information is forever on the internet. It’s not a one-time threat that disappears after a user changes their compromised e-mail address and password. It becomes a constant security risk as hackers reuse leaked data, package it into ‘combo lists’, combine it with new leaks, and resell it repeatedly. So even after 10 or 20 years, leaked data is still valuable and can be used against a user to commit fraud, gain access to more data, and steal money,” emphasized the report.
A sales director at managed security services provider J2 Software says attackers are no longer relying on sophisticated exploits to break in. Instead, they are systematically targeting weak credentials, misconfigured systems, and exposed devices. “In fact, multiple industry reports now show that the vast majority of breaches stem from preventable gaps, such as identity weaknesses and poor visibility across digital environments. The uncomfortable truth is this: most organizations are not being hacked, they are being quietly accessed through doors they didn’t even realize were open. The biggest weaknesses in today’s environments are not always complex vulnerabilities, but rather a fundamental lack of visibility,” he says. Then, it added that human behavior remains one of the simplest attack vectors. “Reused credentials, weak authentication practices, and incomplete multi-factor authentication coverage continue to provide low effort access for attackers. Industry analysis consistently shows that identity weaknesses are at the core of most successful breaches, reinforcing the need for stronger identity governance.”
However, the problem is accelerating with the rise of shadow IT, cloud sprawl, and AI adoption, he noted. “Employees and business units are deploying SaaS tools, automation, and AI integrations without security oversight. These technologies often bypass governance processes, creating unmanaged and unmonitored entry points.”
The lead security consultant for Check Point Software Technologies points out that South Africa’s continued high ranking for data breaches underlines a persistent and systemic problem rather than a short-term spike. “Being placed 42nd globally and second in Africa, with roughly 47.5 million compromised accounts since 2004, indicates that while awareness of cyber risk has improved, execution has not kept pace.” He added that, in many cases, organizations remain reactive rather than preventive. “Security controls are unevenly implemented, legacy systems remain exposed, and basic cyber hygiene measures, such as strong identity management, vulnerability management, and incident response readiness, are inconsistently applied, particularly outside the financial sector. Regulatory frameworks like POPIA have improved accountability on paper, but enforcement and day-to-day.
The consultant asserts that not enough is being done in practical terms. “Until cyber security is treated as a business-wide risk, owned at the executive level and backed by sustained investment in people, process and technology, South Africa is likely to remain an attractive target for cyber criminals, regardless of global improvements in breach trends.”
Wave of breaches - There has been a spate of data breaches in South Africa recently, including at Standard Bank, which notified its business clients in March of a breach that exposed their personal information. The bank said data, including select client records, account numbers, limited account information, business names, and ID/registration numbers, were exposed. In an update soon after, it was reported that hackers had publicly released data stolen from the bank. It followed another incident in March during which Standard Bank’s subsidiary and insurer, Liberty, also fell victim to a breach that affected clients.
In the same month, Stats SA confirmed that hackers had accessed its information. It was reported that a hacker group called XP95 had claimed to have 154GB of information and demanded $100 000 (R1.7 million) in ransom. Stats SA stated that it would not comply with the ransom demand.
In April 2026, Polmed, the medical aid scheme serving members of the South African Police Service, confirmed a suspected data breach after having received a ransom demand from a threat actor. Cybersecurity experts told ITWeb that stolen South African credentials are being sold for as little as R100 on the dark web. Experts stress that criminals operate like online businesses, selling resources that enable anyone to launch attacks.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.itweb.co.za/article/70-out-of-100-south-africans-hit-by-data-breaches/KjlyrvwBOo1qk6am
Comments