About
Subscribe

PRASA data breach results in defamation lawsuit

Admire Moyo
By Admire Moyo, ITWeb news editor
Johannesburg, 04 Aug 2025
A former PRASA employee claims he was wrongfully implicated in a cyber crime probe.
A former PRASA employee claims he was wrongfully implicated in a cyber crime probe.

The High Court in Pretoria has dismissed an attempt by the Passenger Rail Agency of South Africa (PRASA) to block a defamation lawsuit brought against it by one of its former senior employees, Matsobane Masenya.

The defamation case emanates from mid-2022 to 2024, when PRASA experienced cyber breaches on its SAP vendor management system. This resulted in the interception of payment files and replacement of legitimate vendor details with fraudulent accounts, resulting in “fraudulent financial losses to PRASA”.

In a ruling handed down on 1 August, acting judge J Vorster rejected PRASA’s exception to Masenya’s amended particulars of claim, in which the agency argued that the defamation suit disclosed no valid cause of action.

Masenya, who worked as a senior systems administrator at PRASA since 2009, claims he was wrongfully implicated in a cyber crime investigation after the state-owned rail company suffered a series of vendor payment breaches between 2022 and 2024.

An external forensic report compiled by Shield Technology, commissioned by PRASA, labelled him a “prime suspect”.

Following this, Masenya was suspended and subjected to a disciplinary process. Among the charges he faced were allegations of failure to protect PRASA’s interests, unauthorised access to other employees’ computers and contravening cyber crime legislation.

However, he was cleared by the disciplinary hearing’s chairperson, who found the evidence against him speculative and lacking credibility.

Masenya is now suing PRASA for defamation, alleging that damaging statements about his alleged involvement in the breaches were widely circulated within the organisation, legal firms and disciplinary witnesses.

He further claims that PRASA’s actions resulted in the lodging of a criminal case against him and contributed to media reports that, although not naming him directly, could be linked to him by those familiar with the matter.

PRASA argued in its exception that Masenya’s claim failed to show publication of the alleged defamatory statements, lacked legal wrongfulness, did not comply with procedural rules and failed to establish intent to defame.

However, the court dismissed all four grounds. On the matter of publication, the judge found that Masenya’s claim identified individuals to whom the statements were made, satisfying the legal threshold.

On wrongfulness, the judge held that accusations of fraud, even if later disproven, could clearly damage a person’s reputation and thus met the test for defamation.

The court also ruled that the procedural rule cited by PRASA – Uniform Rule 18(6), which relates to contractual claims – did not apply, as Masenya’s claim was not based on a contract but on defamation.

Regarding intent, the judge pointed to established case that holds intent to defame is presumed once publication and wrongfulness are proven.

“The exception dated 17 April 2025, is dismissed,” the court ordered. “The defendant/excipient is directed to pay the costs of the exception, such costs to be taxed on scale A.”

Share