South Africa’s Information Regulator has raised concern about the increased number of data breach notifications it is receiving from local organisations.
The watchdog has exclusively told ITWeb that from 1 January to 31 March, it received 788 data breach notifications from South African organisations.
Led by advocate Pansy Tlakula, the Information Regulator is an independent statutory body established under the Protection of Personal Information Act (POPIA) and accountable to the National Assembly.
KNOW MORE
For deeper insights into modern cyber defence strategies, register for ITWeb Security Summit Cape Town 2026 or ITWeb Security Summit 2026 in Johannesburg. These annual gatherings bring together leading local and international experts to discuss the threats, technologies and strategies shaping the future of cyber security.
Its mandate is to monitor and enforce compliance with POPIA and the Promotion of Access to Information Act across both public and private bodies, ensuring the lawful processing of personal information and the protection of individuals’ rights to privacy and access to information.
The regulator also investigates complaints, issues guidance and codes of conduct, and may impose penalties for non-compliance. Its responsibilities have expanded to include oversight of access to information functions previously held by the South African Human Rights Commission.
Prominent targets
The watchdog’s concerns come after some recent high-profile data breaches were reported in South Africa.
Standard Bank and its insurance subsidiary Liberty Group both recently suffered data breaches, raising fresh concerns about cyber security risks in the financial sector.
The big-four bank recently notified clients of unauthorised access to parts of its systems, exposing personal and business information, such as account numbers, company names and ID details, although it stressed that no funds were compromised and core banking systems remain secure.
Earlier, Liberty confirmed that an external party gained access to customer data, including sensitive personal information like names and ID numbers, prompting an investigation and client notifications.
In a related development, Statistics South Africa also revealed a breach involving its systems, after a hacker group claimed to have accessed data and demanded a ransom. The agency said the incident affected a human resources database used by job-seekers.
The incidents highlight an escalating wave of cyber attacks across the public and private sectors, raising concerns about identity theft, fraud and the resilience of critical data systems.
Nomzamo Zondi, spokesperson of the Information Regulator, tells ITWeb via e-mail that although the affected organisations informed the watchdog about the incidents, the information they supplied is not enough for thorough investigations.
Regarding the Standard Bank and Liberty breach, she says the regulator is sending an information notice to obtain further details in order to conduct an assessment of the case.
“We are very concerned [about the data breach] and the implications it has on the data protection of data subjects,” says Zondi.
Under POPIA, organisations are required to report data breaches to the Information Regulator to ensure transparency, accountability and the protection of individuals’ personal information.
Reporting enables the regulator to assess the scope and impact of the breach, ensure appropriate remedial actions are taken, and, where necessary, guide organisations on mitigating harm.
It also helps to safeguard affected data subjects by ensuring they are informed of potential risks, such as identity theft or fraud, allowing them to take protective measures.
Ultimately, mandatory notification strengthens oversight, promotes responsible data handling practices, and reinforces public trust in how organisations manage sensitive information.
Security gaps
Asked why South African organisations are increasingly being targeted, Zondi says: “We have not conducted an analysis to this extent; however, we have picked up through our assessments that the notifications reveal that the responsible parties do not always succeed in securing the integrity and confidentiality of personal information in their possession or under their control.”
She believes organisations should be doing more to protect their IT systems from unauthorised third-parties.
“Responsible parties are required to take appropriate, reasonable technical and organisational measures in terms of section 19 of POPIA,” she notes.
“The majority of the security compromise notifications recorded this year are as a result of human errors (non-cyber security in nature) while some notifications are related to cyber breaches with malicious intent.”
Share
