As cyber attacks escalate and companies fail to report hacks under the Protection of Personal Information Act (POPIA), the Information Regulator does not have sufficient staff to enforce the law.
Mukelani Dimba, executive for education and communication at the Information Regulator, tells ITWeb there’s a mismatch between research into the number of security threats and what is reported.
He says based on the available data, “only a fraction of incidents gets reported to the regulator”.
Check Point Research’s July report showed that South African companies experience 2 113 cyber security threats a week. “It is fair to assume that a fair number of those incidents involved personal information,” he says.
Dimba notes that “at the end of the 2024/25 financial year, a total of 2 374 security compromise incidents were reported to the regulator for the whole year; 1 607 security compromised incidents were reported in the period from April to end of September 2025”.
The under-reporting comes as global threats intensify. The latest Mimecast 2025 Global Threat Intelligence Report shows that, in the first nine months of 2025, it flagged more than 9.13 billion threats across the world.
South Africa has emerged as the phishing capital of the cyber world, according to the latest bi-annual Threat Report from global cyber security provider ESET.
Mimecast reported an increase in methodologies such as phishing, schemes like ClickFix, AI-augmented phishing, and business e-mail compromise – all of which are being enhanced through the use of generative artificial intelligence (AI).
“We're seeing a clear evolution in attacker behaviour in 2025, headlined by an exponential rise in AI-driven threats,” said Ranjan Singh, Mimecast chief product and technology officer.
Capacity constraints
The Information Regulator's website states that security compromises that result in breaches of personal information must be reported to it and those affected “as soon as it is reasonably sure that a security compromise has occurred. The security compromise does not have to be confirmed before it is reported.”
However, enforcing POPIA presents challenges. Dimba says given that there are frequent data breaches, companies’ limited investment in proper security measures, and the regulator's limited workforce, “naturally there will be workload issues”.
The skills the regulator needs – expertise in assessing technical and organisational measures to ensure data privacy – are available in the market. However, they are often “beyond the reach of the Information Regulator” because it can't compete with private sector salaries, Dimba says.
“This may mean that investigations or assessments take longer than if there were significantly more people working on these cases,” he adds.
Nerushka Bowan, technology and privacy lawyer, tells ITWeb that “it is difficult for the Information Regulator to investigate each and every single reported incident due to capacity constraints and resourcing limitations”.
She says the regulator often focuses attention on the larger incidents, which makes practical sense. “In an ideal world, every single incident would be investigated to the same degree, but in the real world sometimes we have to work with what we have.
“At the moment, they are doing what they can with the resources they have available,” Bowan adds.
Marijke Coetzee, a professor in the School of Computer Science & Information Systems at North-West University, notes that “a significant issue is that South African law enforcement lacks the technical capacity to investigate cyber crime effectively”.
Enforcement actions
Despite these limitations, the regulator has pursued enforcement action. During the 2023/24 year, it received 1 044 public complaints under POPIA, of which 637 were resolved. Thirteen responsible parties were assessed for compliance with the law, and 10 assessments prepared for enforcement notices.
This is in addition to the 108 national and provincial government departments, universities, political parties and JSE-listed companies it probed on its own, using the Promotion of Access to Information Act to secure information.
Dimba says the regulator prides itself on the high quality of technical analysis conducted in several cases. He cited instances, without specific names, at a credit reporting agency, a major government department and multiple financial services providers as examples of successful enforcements.
“Not once have we been challenged on the technical finding and our analysis,” says Dimba.
Enforcement notices listed on the regulator's website include one against WhatsApp from April for “a breach of the conditions for the lawful processing of personal information”. This is on the basis that its terms and conditions are not in line with POPIA.
In November last year, it took the initiative to probe the Department of Basic Education and found it had also breached the conditions for the lawful processing of personal information. This was because the department admitted it published personal information of 2023 matriculants' results in newspapers without obtaining consent.
Broader challenges
Bowan adds that cyber security is a much wider issue that relates to securing all data and systems, not just personal information, which is the regulator’s mandate.
Coetzee comments that “most people have no idea where to turn when they are compromised; therefore, cyber criminals get away with attacks”.
“The solution to this problem is more than laws and enforcement. It is a whole new mindset that each individual needs to have, like we all guard our homes against criminals,” says Coetzee.
Share