Field Note · March 2026

The Slow Breach: Five Years of Cyber Incidents Inside South Africa's Government

A visual analysis of publicly confirmed intrusions across ministries, state-owned entities, and critical infrastructure, 2021 to 2026. Framing partly prompted by threat intel shared via @VECERTRadar.

01 · The Verdict

Not isolated incidents. A systemic resilience problem.

Across the last five years, at least nine publicly confirmed cyber incidents have struck South African government entities, spanning justice, logistics, defence, health, weather, labour statistics, Parliament itself, and the Reserve Bank. Read individually, each looks like bad luck. Read together, they describe a state whose digital surface is under continuous, varied pressure, and whose disclosure practices lag behind the attacks themselves.

Pattern
Sustained, Cross-Sector, Under-Disclosed
Ransomware and data-extortion dominate the confirmed record, but the more damning signal is institutional: incidents surface through annual reports, ministerial speeches, union statements, and in one 2022 case, a phone call from the FBI. The real breach count almost certainly exceeds the public ledger.
02 · Timeline

Nine confirmed incidents, 2021–2026

Each marker is an officially confirmed or well-documented incident against a South African government entity or state-owned enterprise. Colour denotes attack type. Vertical position encodes approximate operational severity based on service disruption and data exposure.

Incident Timeline · Severity × Date
2021 2022 2023 2024 2025 2026 High Med Low TransnetJul 2021 · Ports paralysed Dept of JusticeSep 2021 · Ransomware SARBAug 2022 · FBI-flagged attempt SARB (thwarted)Aug 2022 · FBI alert SANDFSep 2023 · Leaked data NHLSJun 2024 · Surgeries delayed Public WorksJul 2024 · R300m theft Weather ServiceJan 2025 · ICT down ParliamentMar 2025 · YouTube hijack Stats SAMar 2026 · HR DB ransom Ransomware Data Exposure Service Disruption Cyber-enabled Fraud Platform Takeover Foreign-flagged Attempt
The 2022 entry is telling: the FBI, not South Africa's own monitoring, detected an active intrusion attempt against the Reserve Bank and phoned the Hawks. Finance Minister Godongwana later said publicly that the FBI "beat" the domestic security cluster to it. The attempt was reportedly unsuccessful, but the detection gap is the story.
03 · Incident Dossiers

What actually happened

Nine concise dossiers. Eight confirmed successful incidents plus one thwarted intrusion, the 2022 SARB case, included because foreign monitoring, not domestic, was the reason it was caught. Each dossier is stripped of the euphemisms that tend to accompany official breach communications in the region.

Filter By Incident Type

Choose an incident type to isolate the dossier grid without leaving the section.

22 July 2021
Transnet SOC Ltd.
Ransomware
Port and rail operations disrupted across Durban, Ngqura, Port Elizabeth, and Cape Town. Force majeure declared at container terminals. The most consequential single hit to South African critical infrastructure in the period.
6 September 2021
Department of Justice
Ransomware
Email, bail services, letters of authority, and the child maintenance system encrypted. The Information Regulator later found roughly 1,204 files were exfiltrated and fined the department for inadequate controls.
12 August 2022
SA Reserve Bank · thwarted
External Alert
The FBI phoned South Africa's Hawks to warn that SARB was being hacked. Foreign monitoring caught what domestic monitoring missed. Finance Minister Godongwana later said the FBI "beat" the country's security cluster. SARB maintains systems were not impacted and the attempt did not succeed.
Aug–Sep 2023
South African National Defence Force
Data Leak
The Snatch group claimed a breach and published data analysts assessed as authentic. SANDF's denial was not fully persuasive to external reviewers; classified material may have been exposed.
12 August 2022
South African Reserve Bank
Foreign-flagged Attempt
The FBI phoned the Hawks to warn that SARB was being actively hacked before any domestic agency had noticed. Finance Minister Godongwana later revealed the detection gap publicly. SARB insists systems were not compromised; the more uncomfortable finding is that external intelligence, not internal monitoring, caught it.
June 2024
National Health Laboratory Service
Data Exposure
Unauthorised access to systems, networks, and databases. Diagnostic results for millions of tests delayed; critical surgeries cancelled. Over 1TB of sensitive health data reportedly compromised.
Revealed 9 July 2024
Public Works & Infrastructure
Cyber Fraud
Roughly R300 million stolen over a decade through a cyber-enabled theft scheme. Four officials suspended, laptops seized, banking partners brought into the forensic loop.
26 January 2025
SA Weather Service
Disruption
ICT systems taken offline. Aviation and marine forecasting forced onto alternative channels. Recovery stretched into late February, a tangible hit to transport safety and agricultural planning.
15 March 2025
Parliament of South Africa
Platform Takeover
One of Parliament's 25 YouTube streaming services, integrated with its official social accounts, was breached and used for unauthorised uploads. Smaller operational footprint but symbolically damaging.
29 March 2026
Statistics South Africa
Data Extortion
HR job-application database compromised. Attackers demanded a reported R17m ransom. Stats SA insists core statistical production systems were untouched; unions dispute the scope.
04 · Attack Surface

What the distribution tells us

Break the eight incidents down by attack type and by sector. Two patterns emerge: ransomware and data-extortion together make up the majority of confirmed cases, and the sectoral spread is wide enough that no single ministry can own or fix the problem alone.

Breakdown by Attack Type · 2021–2026
Ransomware 2 incidents Data Exposure 3 incidents Disruption 1 incident Cyber Fraud 1 incident Platform Hijack 1 incident External Alert 1 attempted (SARB)
Data-exposure incidents (NHLS, SANDF, Stats SA) still outnumber any other category. The open-outlined "External Alert" bar marks the 2022 SARB case, which is categorically distinct because the intrusion was flagged before it landed, and flagged by a foreign agency at that. Treasury sits inside this incident's notification chain rather than as a victim of its own separate attack.
Sectoral Spread · Confirmed Incidents by Function
Justice Logistics (SOE) Defence Health Public Works Weather / Climate Legislature Statistics Finance / Central Bank 1 confirmed 1 confirmed 1 confirmed 1 confirmed 1 confirmed 1 confirmed 1 confirmed 1 confirmed 2 entities (SARB · Treasury)
Nine sectors, ten entities. Finance is the only sector that pulls in two institutions: SARB as the direct target of the 2022 attempt, and Treasury as the recipient of the cascading FBI alert and the ministry that ultimately disclosed it publicly. The flatness everywhere else is itself the finding: attackers are not picking a lane.
05 · Target Profile

What makes an entity a target

Strip the incidents down to their shared traits and a composite portrait emerges. The targeted entities (ten of them once SARB and Treasury are folded into the financial spine) are not random. They cluster tightly around six characteristics. Any South African public body that scores high across most of these columns is, operationally, next in line.

Target Characteristics Matrix · Filled = trait present
Holds sensitive data Operationally critical Legacy ICT / AG flags Public-facing portal Vendor / procurement risk Weak in-house SOC Score Transnet 4 / 6 Dept of Justice 5 / 6 SANDF 4 / 6 NHLS 6 / 6 Public Works 3 / 6 Weather Service 5 / 6 Parliament 3 / 6 Stats SA 5 / 6 SA Reserve Bank (thwarted) 5 / 6 National Treasury (notified) 6 / 6 Trait frequency across 10 entities 6 7 8 7 9 9
Three traits now appear in eight or nine of ten entities: legacy ICT debt, vendor / procurement exposure, and thin in-house security operations capability. NHLS and Treasury both score the full six, and in both cases the systemic risk is obvious. SARB scores 5/6; the only column it escapes is the legacy-ICT one, and even that is debatable given the 2022 alert came from Quantico rather than Pretoria.
8 / 10
Legacy ICT Debt
The Auditor-General has flagged ICT control weaknesses at almost every entity in this list prior to its breach. SARB is the one partial exception, and even there, the FBI-first 2022 detection tells its own story about operational monitoring.
9 / 10
Outsourced Security
Most targeted entities depend on external vendors for core security functions. Contract gaps, expired licences, and unpatched managed systems recur across the post-incident forensics.
7 / 10
Public-Facing Portal
Where there is a citizen-facing web application (job portals, bail services, streaming, forecasting APIs) there is an initial access vector. Public-facing is not the same as public-hardened.

The composite target profile is unflattering but clear: a data-rich public body running on legacy infrastructure, leaning heavily on outside vendors for security it cannot staff internally, exposing at least one citizen-facing portal, and operating under Auditor-General findings it has not yet closed out. Treasury's perfect 6/6 score is the sharpest warning in the matrix: the ministry that coordinates the country's public finance carries every trait that defined every other breach in this window. Read that against any department not yet in the public record and the next breach stops looking like a surprise.

06 · Geography

Where the hits cluster

There is no provincial pattern here. No "Limpopo problem" or "Western Cape problem." The geography is hierarchical, not regional. Attackers concentrate on national institutions headquartered in Pretoria and on the large metros that host the country's financial, logistics, and utility spines. Small-town and rural government barely registers in the public incident record, less because it is secure and more because it is neither digitally exposed nor newsworthy enough to surface.

South Africa Incident Footprint · National Axis and Port Nodes
Map of South Africa showing cyber incident hubs in Pretoria, Johannesburg, Durban, Gqeberha, and Cape Town A styled map of South Africa with a real provincial base map and hub markers. Pretoria carries the heaviest concentration, Johannesburg overlaps as a metro services node, and Durban, Gqeberha, and Cape Town mark the logistics-linked port spine. ATLANTIC OCEAN INDIAN OCEAN Pretoria 7 OF 9 INCIDENTS National departments, SARB, Parliament disclosure chain Johannesburg METRO OVERLAP City Power and recurring services exposure Durban PORT NODE Transnet logistics operations Gqeberha NGQURA TERMINAL Eastern Cape port exposure Cape Town PORT + PARLIAMENT SEAT Terminal disruption and legislative presence INTENSITY KEY National political / financial core Metro utility and service overlap Critical logistics node Port-linked incident propagation Low-visibility interior small-town and rural government rarely enters the public record
The geography section now sits on a real provincial map of South Africa rather than a schematic blob. The distribution does not change: Pretoria still dominates the incident map, Johannesburg remains the metro-services overlap, and the coast lights up where Transnet turns one compromise into a multi-port story.
7 / 9
Pretoria-Seated
Seven of the nine incidents struck entities headquartered in Pretoria. Attackers are targeting the constitutional and administrative centre of the state, not its periphery.
3 / 9
Port Cities
Transnet alone pulled in Durban, Cape Town, and Gqeberha through a single ransomware event. Port logistics is a geographic category because of how one compromise propagates across terminals.
0 / 9
Rural / Small-Town
No small-municipality breach appears in the public record for this window. Read this as a visibility gap, not a security win. Local government is both less digitised and less reported on.

The SARB case sharpens the geographic point. A foreign agency, the FBI, detected an active intrusion against South Africa's central bank before any domestic institution did, and the alert routed through the Hawks before reaching Treasury and SARB itself. That is not a location problem. It is a national-monitoring problem, concentrated at the same coordinates where the country's most valuable targets sit. The attackers know the postcode. The defenders are still assembling the map.

07 · Trends

Three patterns worth watching

If the timeline is the what, these are the so-what. Three trends cut across the incidents and determine whether the next five years look like the last.

5 of 9
Operational Disruption
Most incidents didn't just steal data. They stopped services. Ports, courts, forecasts, surgeries, and HR pipelines all went dark. Cyber risk in South Africa is now indistinguishable from service-delivery risk.
6–18 mo
Disclosure Lag
NHLS surfaced via an annual report. DPWI surfaced via a minister's speech. The gap between compromise and public acknowledgment is where accountability quietly disappears.
0
Unified Response
No single coordinating body publishes a consolidated incident register. The Information Regulator, SSA, and individual departments each hold fragments. The public has to reassemble the picture by hand.
Confirmed Incidents per Year · 2021–2026
3 2 1 0 2021 2022 2023 2024 2025 2026 SARB · thwarted
The 2022 bar is the SARB warning: an intrusion flagged to South African authorities by the FBI before domestic monitoring detected it. SARB says the attempt did not succeed, but its presence erases the "quiet year" narrative. Every year in the window now carries at least one confirmed incident.
08 · The Deeper Problem

Disclosure is the resilience story nobody is telling

South Africa's 2024–2028 National Security Strategy acknowledges, in sharper language than previous versions, that cyberattacks on state information resources are increasing. That acknowledgment matters. But strategy documents do not substitute for operational transparency, and transparency is where the current model breaks down. The 2022 SARB case made that uncomfortably clear when the FBI, not the State Security Agency, was the party that spotted an active intrusion against the country's central bank.

The through-line across Transnet, Justice, NHLS, DPWI, SAWS, Parliament, and Stats SA is not a technical vulnerability. It is an institutional one. Departments disclose on their own timelines, in their own formats, to their own audiences. The Information Regulator acts after the fact. No public-facing dashboard exists. Parliament itself was breached, and the public learned via a press release about a single YouTube channel. That is not a resilience posture; that is a communications posture.

A realistic reform path would start with three moves: a mandatory incident register under SSA or the Regulator with fixed disclosure windows, a consolidated post-incident review mechanism with published findings, and procurement rules that tie ICT vendor payments to documented security baselines. None of this requires new legislation. POPIA and the Cybercrimes Act already carry most of the authority. What is missing is the operational will to use them as a system rather than as episodic instruments.

Share