The Land and Agricultural Development Bank of South Africa (Land Bank) is tightening its cyber security controls after suffering a ransomware attack in January that compromised parts of its IT environment and exposed internal data.
This is according to finance minister Enoch Godongwana, responding to a parliamentary question from Adil Nchabeleng, Member of Parliament for the uMkhonto weSizwe party.
Godongwana confirmed the Land Bank experienced a ransomware attack on 12 January 2026 after detecting unauthorised activity within parts of its computer systems.
Preliminary investigations indicated that a third-party gained access through a vulnerability on an internet-facing server and deployed ransomware, which encrypted a portion of the Land Bank server environment, as well as multiple laptops, he explained.
Godongwana noted: “In the medium- to long-term, the Land Bank board has already approved an implementation plan for an information security controls improvement plan in accordance with industry best practice. This will improve the security posture of the Land Bank. The improvement plan will be implemented in phases, with most action items targeted to be implemented within the next six months.”
During the restoration of the Land Bank IT environment, the bank isolated its environment, removed indicators of compromise, strengthened its security controls by hardening and configuring firewalls and patching vulnerabilities, Godongwana noted.
“These measures are aimed at ensuring that any unauthorised attempts to enter the bank’s IT environment can be detected and remediated effectively and timeously.”
The Land Bank is a state-owned development finance institution. It is wholly-owned by the South African government, with the shareholder represented by the minister of finance.
Its mandate is to finance and promote agricultural development and food security in SA.
Inaccessible IT systems
Godongwana stated the attackers demanded a ransom of five Bitcoin – worth about R5.4 million – in exchange for the return or non-publication of the data.
“Land Bank has taken the decision not to make any ransom payment and confirms that no ransom payment was made.
“The threat actors encrypted and exfiltrated files from Land Bank’s file server. A preliminary assessment of the compromised data indicated the threat actors obtained access to a broad range of organisational records, including but not limited, to board and committee documents, corporate governance records, and human resources records.”
Despite the breach, the bank’s most critical financial systems were not compromised, he pointed out.
“It must be noted that Land Bank’s critical ERP, core banking and customer relationship management systems were not accessed, and therefore not compromised by the threat actor,” he said. “This was due to the SAP system being in a separate technical environment to that of the rest of the servers.”
However, other parts of the bank’s IT environment were affected. Godongwana noted that the remainder of the environment, including non-SAP servers, were either encrypted or rendered inaccessible to IT teams and users, while multiple laptops were also encrypted during the incident.
The incident was reported to the South African Police Service on 17 January in accordance with the Cyber Crimes Act No 19 of 2020.
The bank also notified the Information Regulator on 16 January under the Protection of Personal Information Act No. 4 of 2013 (POPIA), and informed affected data subjects through a notice on its website, he added.
The institution has been engaging with the Prudential Authority, submitting a formal notification on 29 January and providing regular updates on restoration efforts.
The State Security Agency was also notified on 9 February and has been consulted on the status of the cyber incident.
According to Godongwana, the bank has incurred costs related to cyber security, forensic investigations, legal services and IT restoration following the breach. While cyber security insurance may cover some of the expenses, the institution is still assessing the overall financial impact.
“There is no evidence of any financial impact to bank accounts, ERP and/or core banking systems,” the minister said. “Land Bank is currently finalising an assessment on restoration and resilience-building activities, including forensic, restoration and cyber security upgrade costs.”
On its website, which is temporarily unavailable, the bank explains it is currently investigating the incident.
“Please be assured that we are still in the process of investigating this incident and will be implementing the necessary security measures to minimise the effect of this security compromise.
“We take our data protection responsibilities under POPIA seriously. We regret any inconvenience this may cause and are committed to protecting your personal information. We continue to monitor the situation and will take further action if required,” says the Land Bank.
Share