Surfshark’s quarterly analysis of global data breaches shows South Africa ranks as the 42nd most breached country in Q1 2026.
Globally, a total of 210.3 million accounts were breached, with the US ranking first at 29% of all breaches from January through March. France takes second place, while India is third, followed by Brazil and the UK.
Since 2004, South Africa has been ranked as the second most breached country in Africa, with 45.7 million compromised user accounts. A total of 13.3 million e-mails were breached in South Africa, while 22.9 million passwords were leaked, putting 50% of breached users in danger of account takeover that might lead to identity theft, extortion or other cyber crimes.
KNOW MORE
Cyber security professionals can join hundreds of industry peers at ITWeb Security Summit Cape Town 2026 and ITWeb Security Summit 2026 in Johannesburg, where expert speakers will explore how organisations can stay resilient in the face of AI-driven attacks and an increasingly complex threat landscape.
Statistically, 70 out of 100 South Africans have been affected by data breaches. Based on Surfshark’s full historical dataset, South Africa ranks 38th globally, with a total of 45.7 million leaked accounts over the past 20 years.
Since 2004, the password (22.9 million) and username (12 million) have been the most commonly compromised South African data points in breaches.
The scope of exposed information often extends to highly-sensitive personal data, such as identity numbers; financial data, such as payment card numbers; and contact information, such as phone numbers and addresses.
Surfshark says, in its research, a breached account is counted as a single online account with an e-mail address that has been exposed on publicly available databases, potentially along with additional personal information, such as names, surnames, passwords, security numbers, location data, or other details.
AI threat
The increased use of artificial intelligence (AI) adds an additional layer of cyber vulnerability, with Surfshark citing OACD data stating that in 2025, 20.2% of companies reported using AI, up from 8.7% in 2023 − meaning adoption has more than doubled over the past two years.
According to Tomas Stamulis, chief security officer at Surfshark, as companies rapidly adopt AI, they increase the amount of user data stored, expand the number of digital systems they use, and integrate more platforms to manage larger volumes of user data.
“These AI-driven systems also collect and log more detailed user information for automation, analytics and model improvement. “While this improves the company’s efficiency, it also means there are many more systems for businesses to secure, more opportunities for error, and more points where sensitive information, such as user credentials and personal data, can be exposed.
“As a result, hackers now have a larger and more complex environment to exploit and execute attacks, including data breaches,” explains Stamulis.
Perpetual risk
With data breaches becoming a daily risk for companies, Surfshark underlines concern over businesses forcing users to create accounts and provide personal information to complete an online purchase when there is no clear need for it.
“For people, a data leak means their personal information is forever on the internet. It’s not a one-time threat that disappears after a user changes their compromised e-mail address and password. It becomes a constant security risk as hackers reuse leaked data, package it into ‘combo lists’, combine it with new leaks and resell it repeatedly.
“So even after 10 or 20 years, leaked data is still valuable and can be used against a user to commit fraud, gain access to more data and steal money,” adds Stamulis.
Roy Alves, sales director at managed security services provider J2 Software, says attackers are no longer relying on sophisticated exploits to break in. Instead, they are systematically targeting weak credentials, misconfigured systems and exposed devices.
“In fact, multiple industry reports now show that the vast majority of breaches stem from preventable gaps, such as identity weaknesses and poor visibility across digital environments. The uncomfortable truth is this: most organisations are not being hacked, they are being quietly accessed through doors they didn’t even realise were open.
“The biggest weaknesses in today’s environments are not always complex vulnerabilities, but rather a fundamental lack of visibility,” says Alves.
He adds that human behaviour remains one of the simplest attack vectors. “Reused credentials, weak authentication practices and incomplete multi-factor authentication coverage continue to provide low effort access for attackers. Industry analysis consistently shows that identity weaknesses are at the core of most successful breaches, reinforcing the need for stronger identity governance.”
However, the problem is accelerating with the rise of shadow IT, cloud sprawl and AI adoption, Alves notes.
“Employees and business units are deploying SaaS tools, automation and AI integrations without security oversight. These technologies often bypass governance processes, creating unmanaged and unmonitored entry points.”
Hendrik de Bruin, head: security consulting Africa, Check Point Software Technologies, points out that South Africa’s continued high ranking for data breaches underlines a persistent and systemic problem rather than a short-term spike.
“Being placed 42nd globally and second in Africa, with roughly 47.5 million compromised accounts since 2004, indicates that while awareness of cyber risk has improved, execution has not kept pace.”
According to De Bruin, in many cases, organisations are still reactive rather than preventative.
“Security controls are unevenly implemented, legacy systems remain exposed and basic cyber hygiene measures − such as strong identity management, vulnerability management and incident response readiness − are inconsistently applied, particularly outside the financial sector.
“Regulatory frameworks like POPIA have improved accountability on paper, but enforcement and day-to-day operational maturity lag behind attacker capabilities.”
De Bruin asserts that not enough is being done in practical terms. “Until cyber security is treated as a business-wide risk, owned at executive level and backed by sustained investment in people, process and technology, South Africa is likely to remain an attractive target for cyber criminals, regardless of global improvements in breach trends.”
Wave of breaches
There has been a spate of data breach incidents of late in South Africa, including at Standard Bank, which notified its business clients of a breach in March which exposed their personal information.
The bank said data, including select client records, account numbers, limited account information, business names and ID/registration numbers, were exposed.
In an update soon after, it was reported that hackers had publicly released data stolen from the bank. It followed another incident in March during which Standard Bank’s subsidiary and insurer Liberty also fell victim to a breach that affected clients.
In the same month, Stats SA confirmed that hackers had accessed its information. It was reported that a hacker group called XP95 had claimed to have 154GB of information and demanded $100 000 (R1.7 million) in ransom. Stats SA stated it would not adhere to the ransom demand.
In April, Polmed, the medical aid scheme serving members of the South African Police Service, confirmed a suspected data breach after having received a ransom demand from a threat actor.
Cyber security experts told ITWeb that stolen credentials belonging to South Africans are being sold for as little as R100 on the dark web.
Experts stress that criminals operate like online businesses, selling resources that enable anyone to launch attacks.
Share
