In the hushed corridors of the Information Regulator’s offices in Braamfontein, the phones have not stopped ringing for three weeks. On the other end of the line are not angry customers—though there are plenty of those—but forensic auditors, cybersecurity specialists, and international data protection authorities. All of them are asking the same question: Just how bad is it?
The answer, according to the Information Regulator of South Africa (IRSA), is that no one knows yet. Not fully.
In a statement released on Thursday morning, the Regulator confirmed that it is actively investigating major data breaches at two of the country’s most prominent financial institutions: Standard Bank and its wholly-owned insurance subsidiary, Liberty Group. The incidents first came to light on 23 March 2026—exactly three weeks ago—but the Regulator now warns that the full scope of the exposure remains unclear.
“What we have are fragments,” said IRSA Chairperson Advocate Pansy Tlakula in a telephonic interview. “We know data left the building. We know it was unauthorized. But who took it? How much? Where has it gone? These are not questions that yield quick answers, no matter how much the public demands them.”
The Discovery
The breaches were discovered not by the banks themselves, but by an independent cybersecurity researcher based in Cape Town. The researcher, who has asked to remain anonymous due to the sensitivity of the investigation, was monitoring a known cybercriminal forum on the dark web when he noticed a familiar file structure—one that matched Standard Bank’s internal customer data architecture.
According to a technical summary shared with the Regulator, the compromised data appears to include customer names, ID numbers, email addresses, phone numbers, and in some cases, account numbers and policy details. Critically, both Standard Bank and Liberty have insisted that no passwords, PINs, or direct access credentials were exposed. But the Regulator has not confirmed that claim.
“We are verifying the banks’ assertions independently,” Tlakula said. “Financial institutions have a vested interest in calming their customers. Our only interest is the truth.”
The Scale of Uncertainty
The Regulator’s statement struck an unusually cautious tone, a departure from the confident declarations that often accompany data breach notifications. It noted that while Standard Bank and Liberty Group have provided preliminary reports, those reports are “incomplete” and “lack sufficient technical granularity.”
In plain language: the banks themselves may not yet know what was stolen.
Standard Bank, in a separate statement to shareholders, said it had “contained the security incident” and had “engaged external forensic experts to conduct a full investigation.” The bank also confirmed that it had notified the Regulator within 48 hours of discovery, as required by the Protection of Personal Information Act (POPIA).
But the Regulator’s own investigators have since identified discrepancies. Internal logs at Liberty Group, for example, show unusual data export activity spanning a period of 17 days—not a single intrusion event. That suggests the attacker or attackers may have had sustained access, potentially moving laterally through the companies’ shared IT infrastructure.
“Seventeen days is an eternity in cybersecurity,” said Lwazi Mthembu, a data privacy consultant not involved in the investigation. “In 17 days, you can exfiltrate terabytes of data. You can sell it. You can move it across borders. You can do a great deal of damage, all while the bank’s own systems are still logging your movements.”
The Regulatory Teeth
This is the first major test of the Information Regulator’s enforcement powers under POPIA, which has been fully active since 2021. The law allows the Regulator to impose fines of up to R10 million or imprisonment for up to 10 years for serious violations. More immediately, the Regulator can issue enforcement notices compelling companies to take specific remedial actions.
Advocate Tlakula made clear that the Regulator is prepared to use those powers. “We are not here to issue press releases and then walk away. We are here to enforce the law. If we find negligence, there will be consequences.”
She also hinted at a broader concern: that the breach may have resulted from a failure to implement basic security measures, such as multi-factor authentication or data encryption at rest. “Some of these vulnerabilities are well-known. They have been well-known for years. There is no excuse.”
The Customer Fallout
For the millions of South Africans who bank with Standard Bank or hold policies with Liberty, the breach is a source of deep anxiety. Social media has been flooded with reports of phishing attempts, suspicious SMS messages, and calls from people claiming to be “bank officials” asking for verification codes.
While none of these have been definitively linked to the breach, the timing has been enough to spook customers.
“I got a call yesterday from a man who knew my full name, my ID number, and the last four digits of my policy number,” said Thandiwe Nkosi, a Liberty policyholder from Soweto. “He said there was a ‘problem with my claim.’ I’ve never made a claim. I hung up and called Liberty directly. They told me to change my online password. But how do I change my identity?”
Standard Bank has set up a dedicated fraud hotline and is offering free credit monitoring to affected customers—once they have identified who those customers are. That identification process could take weeks.
The Political Dimension
The breach has also attracted the attention of Parliament’s Portfolio Committee on Justice and Correctional Services, which has summoned both the Information Regulator and the banks’ representatives for a closed briefing next week.
Committee Chairperson Xola Ndlovu said in a statement that “the protection of personal information is not a luxury; it is a constitutional right under section 14 of the Constitution. When that right is violated on this scale, Parliament has a duty to understand why and to ensure it does not happen again.”
Opposition parties have gone further, calling for a full independent inquiry into cybersecurity standards across South Africa’s financial sector.
“The same banks that charge us R150 a month for ‘security fees’ are losing our data by the gigabyte,” said Shadow Minister of Finance Dion George. “The regulator must act. And if the regulator’s powers are insufficient, we must strengthen them.”
What Comes Next
The Information Regulator’s investigation is proceeding along three parallel tracks. First, forensic analysts are reconstructing the timeline of the breach, mapping every data access and export. Second, the Regulator has requested mutual legal assistance from data protection authorities in the European Union, where some of the compromised data may have been routed through third-party cloud servers. Third, the Regulator is conducting interviews with key IT personnel at both Standard Bank and Liberty Group.
A preliminary report is expected within 60 days. But Tlakula warned that a full, definitive accounting could take much longer.
“Data breaches of this complexity are like car accidents at night,” she said. “You see the broken glass, the twisted metal. But understanding exactly how the crash happened—that requires time, expertise, and a great deal of patience.”
In the meantime, the Regulator has issued an urgent advisory to all South Africans: change your banking passwords, enable multi-factor authentication wherever possible, be suspicious of unsolicited calls or messages, and monitor your bank statements for unauthorized transactions.
It is sensible advice. But for the millions who trusted Standard Bank and Liberty Group with their most sensitive personal information, it is also a bitter reminder that in the digital age, trust is only as strong as the security that backs it.
As the sun set over the Regulator’s Braamfontein offices, the lights on the forensic floor remained on. Somewhere in the servers, in the logs, in the dark corners of the internet, the answers are waiting. The question is whether they will be found before the damage spreads any further.
About The Author
