It has now become somewhat expected that a couple of months do not pass without us having to discover or hear about another data breach or cyberattack on a prominent South African business or organization. So common have the data breaches and leaks become that it appears people in South Africa, to a certain extent, are now desensitized to their potentially harmful effects.

What is even more worrying is that there are likely many more cyberattacks and data breaches that are not being disclosed by businesses and organizations in South Africa as the country's Protection Of Personal Information Act is only effective and enforceable from 1 July 2021. Added to this, some of the ones that are disclosed are typically clouded in secrecy without the victims knowing if their data was accessed or compromised as part of the cyberattack or data breach.

In this article, we look back at some of South Africa's data breaches and data leaks that were publicly known and made headlines in the past 5 years.

For the past 5 years South Africa has experienced some notable and rather concerning data breaches and leaks. More concerning is also that none of the businesses or organizations have been officially investigated or suffered any punishment.

Ster-Kinekor's website vulnerability

Ster-Kinekor, a wholly-owned subsidiary company of Primedia Group that specializes in mostly cinema theatre entertainment, had a security vulnerability on its website that allowed anyone to leak more than 6 million customer records. The flaw involved an API on Ster-Kinekor's old website at the time.

According to haveibeenpwned, the leaked data set only contained 1,6 million unique e-mail addresses.

Apart from e-mail addresses, all 6 million-plus records in the Ster-Kinekor data set included personal information such as:

  • Names
  • Addresses
  • Birth dates
  • Genders
  • Plain text passwords

A security flaw in eTheKwini municipality's eServices website

As soon as the eThekwini municipality launched its new eServices website in 2016, several security vulnerabilities were discovered by researchers on the new website. More importantly, these vulnerabilities allowed anyone with an internet connection and a web browser to view the municipal account information and personal records of over 98,000 residents of the municipality.

Also concerning was that the municipality appeared to be storing user passwords in plain text as with every help request via e-mail, they would include a user's login details which included a plain text password in their e-mail response.

Of the 98,000 plus uniques records that were accessible, haveibeenpwned reported that only 81,830 contained e-mail addresses. The rest of the records contained in all 98,000+ records was:

  • Names
  • Dates of birth
  • Deceased dates
  • E-mail addresses (where available)
  • Genders
  • National ID numbers
  • Passport numbers
  • Passwords
  • Phone numbers
  • Physical addresses
  • Utility bills

Over 50 million unique personal records of South Africans leaked online

During March 2017, Troy Hunt, founder of haveibeenpwned, was sent a 27GB database backup file named "masterdeeds." Given how many data breaches Hunt receives daily, he would only get around to investigating the file in October 2017.

It would turn out the database contained over 50 million personal records of South Africans that were both alive and deceased. Further research and interviews by iAfrikan revealed that the server that the file was leaked on belonged to a real estate company. Furthermore, it was admitted by Dracore Data Sciences, a data aggregation company, that the real estate company (Jigsaw Holdings) was their customer and they did enrich a database for them and sell it to them.

What was never clear and is up to the relevant authorities to investigate is which party was responsible for the database being made available on a publicly viewable online directory.

Although it contained over 50 million unique personal records, only 2,257,930 records had an e-mail address. The data set included the following information:

  • Names
  • Dates of birth
  • Deceased statuses
  • E-mail addresses
  • Employers
  • Ethnicities
  • Genders
  • National ID numbers
  • Property ownership statuses
  • Job titles
  • Company directorships
  • Nationalities
  • Phone numbers
  • Physical addresses

Traffic fines website leaks 934,000 customers personal records

During 2018, a database containing over 934,000 personal records of South Africans was discovered on a publicly accessible file-sharing website. Although Troy Hunt, a security researcher and founder of haveibeenpwned, couldn't initially make out what the data was and the possible organization linked with it, further investigations ad research by iAfrikan revealed that it was the data of customers of traffic fines payments website - Viewfines[.]co[.]za.

The second confirmation came when iAfrikan spoke to the website owners and they confirmed that they had copied the database to a file-sharing website as part of the upgrading and migrating their website. Among other records, the data set contained plain text passwords of the website's users.

The Viewfines data set of 934,000 people in South Africa contained:

  • Names
  • Plain text passwords
  • E-mail addresses
  • Phone numbers

Close to 60,000 South Africans' data leaked as part of Facebook's Cambridge Analytica saga

During 2015, approximately 50 million Facebook user profiles were harvested by Aleksandr Kogan’s app, “thisisyourdigitallife”, through his company Global Science Research (GSR) in collaboration with Cambridge Analytica. This included 33 Facebook users in South Africa who used Kogan's app.

As a result of this, the social media company confirmed that 59,777 Facebook users in South Africa were affected by the Cambridge Analytica saga., i.e. their data was leaked.

Apart from names and e-mail addresses, Facebook was cagey in confirming to South Africa's Information Regulator what user data was accessed.

Experian data of 24 million South Africans and over 700,000 businesses leaked on the internet

On 20 May 2020, the South African subsidiary of Experian, an Irish-domiciled global consumer credit reporting company, sold the data of 24 million individuals in South Africa as well as over 700,000 businesses incorporated in South Africa to what they say they thought was a "legitimate customer." Following that sale, during July 2020 Experian says it realized the customer hadn't paid for the data requested and allegedly delivered, as such, the company says it further discovered that the person who requested the data was not a customer but rather allegedly impersonated their customer.

On 19 August 2020, the South African Banking Risk Information Center (SABRIC) released a press statement revealing the “Experian Data Breach.” After this South African banks and financial institutions confirmed the data breach to their customers.

Several weeks later on 1 September 2020, iAfrikan would discover the leaked data set on a publicly viewable website. Asked by iAfrikan, Experian would confirm that this data matched the data from their data breach.

The breached and leaked data of 24 million individuals in South Africa included:


The data set of over 700,000 businesses incorporated in South Africa as found in the leaked Experian data files included:

Debtor Name
Vat Matched Flag
Legal Name
Alt Name Type
Alt Name
Name Change Type
Changed Name Entity
Company Status               
Reg Number      
Report Date                
Enquiry Amount               
Enquiry Terms   
Bank Code          
Bank Code Date Sicc Source         
Sicc Description         
Holding Company            
Turnover Range 
Score Comment            
R/D Cheques     
Adverse References        
Postal Address  
Street Address 
VAT Number      
Ultimate Holding Company            
Last JU Date       
Auditor Fax         
Bankers Account#             

Notable mentions

As mentioned at the beginning of the article, most data breaches in South Africa are clouded in secrecy and non-disclosure. Apart from investigations by private security researchers and whistleblowers, they never come to be known publicly.

The only other time we get to learn of data breaches in South Africa is when a publicly listed (on the Johannesburg Stock Exchange) company suffers one. However, even in such cases, the company typically only issues a notice stating that they suffered a cyberattack and would be cagey about details and never notify customers whose data was accessed as part of the data breach.

Hopefully, this will change once POPIA comes into full effect in South Africa on 1 July 2021 because South Africa has witnessed a rise in identity theft which leads to financial crimes and fraud.

Some of the JSE-listed companies that have suffered data breaches but didn't reveal many details nor notify customers include:

Subcribe to our Daily Brief newsletter
Insights and analysis into how business and technology impact Africa. We promise to leave you smarter and asking the right questions every time after you read it. Sent out every Monday to Friday.

Marketing permission: I give my consent to iAfrikan Media to be in touch with me via e-mail using the information I have provided in this form for the purpose of news, updates, and marketing related to the Daily Brief newsletter.

What to expect: If you wish to withdraw your consent and stop hearing from us, simply click the unsubscribe link at the bottom of every email we send or contact us at [email protected] We value and respect your personal data and privacy. Do read our privacy policy. By submitting this form, you agree that we may process your information in accordance with these terms.

Share this via: