As the number of data breaches in the country grows, the Information Regulator has raised concerns and demanded greater transparency from Standard Bank regarding a data breach involving unauthorised access to client personal information.
This comes after Standard Bank identified unauthorised access to select client data in March 2026, impacting information such as names, ID numbers and company registration numbers.
Banking systems
Standard Bank said banking systems were not compromised, but warned that affected clients are at risk of impersonation and phishing scams.
While Standard Bank said it is actively investigating, notifying impacted customers directly, and increasing security monitoring, the IR wants answers.
Assessment
Advocate Tshepo Boikanyo, Executive: Protection of Personal Information (POPIA) at the IR, said they will be assessing the Standard Bank data breach.
“In this instance, we’ll be looking at the access controls measures that Standard Bank has, we’ll be looking at whether Standard Bank uses strong user authentication, we’ll be looking at their encryption, and whether they encrypt their personal information.
“We’ll be looking at their network system, security, we’ll be looking at their firewall and their intrusion detection system, and we were looking at their monitoring and logging,” Boikanyo told eNCA.
Security measures
Boikanyo said as part of their investigation, the IR will also probe whether Standard Bank has adequately and effectively protected customers’ information by having adequate measures in place, whether they are effective, the bank properly identified and mitigated against any foreseeable risks to the personal information that it is processing, and whether there are any weaknesses or in the controls and the system monitoring.
“Standard Bank has said to us that it is still conducting its own investigation. Standard Bank has not really come to a determination of how widespread this particular problem is, in other words, how many data subjects have been impacted.
“Standard Bank, as the responsible party, is going to conduct its own assessment, but we are also going to conduct a parallel process. We are also conducting our own fact finding over the view of to determine whether we are going to go the route of a formal investigation,” Boikanyo said.
SA global hotspot for data breaches
Last year, The Citizen reported that South Africa continued to be a target of cybercriminals, ranking 27th globally among the most breached countries in the second quarter of 2025, highlighting persistent cybersecurity gaps.
The report by Surfshark revealed that, so far in 2025, a total of 369 600 accounts were leaked in the country.
Surfshark’s report indicates that more than 21 000 South African accounts were breached between April and June, which translates to approximately three per 100 000 people.
In total, South Africa has had 124.2 million personal records exposed since 2004. On average, each email is breached with 2.9 additional data points.
