The country's flagship South Africa Airlines (SAA) confirmed on Saturday, May 3, 2025 that it suffered a significant cyber incident. SAA data breaches have caused temporary disruption to websites, mobile applications, and certain internal systems. However, prompt response measures were implemented, allowing the airline to recover normal operations by the end of the same day.
In a statement issued by the airline, SAA said it immediately stimulated disaster management and business continuity protocols when it discovered the incident. These aggressive measures ensured that the airline's core flight operations remain stable and that critical customer service platforms such as contact centres and sales offices continue to function without interruption.
“Our response team acted swiftly to contain the confusion and launch a comprehensive investigation,” said Professor John Lamora, group CEO of South Africa Airlines. “System security and integrity and protecting customer data remains our number one priority. We are committed to assessing the impact of incidents and strengthening our cybersecurity stance.”
SAA Data Breaches: Independent Investigation and Government Engagement
Immediately after containing the incident, the SAA brought in an independent digital forensics researcher to determine the root cause and assess the full scope of the violation. Research is ongoing, but early signs suggest that the disruption may be the result of external cybercriminal activities.
Given its designation as a key point for the citizen, the SAA is legally bound to follow strict protocols during such cases. In compliance with these obligations, the airline reported the event to the National Security Agency (SSA) in South Africa and the Police Service in South Africa (SAPS), which launched a criminal investigation.
Additionally, as a precautionary measure under the Personal Information Protection Act (Popia), the airline has notified information regulators in South Africa.
Potential data exposure during review
One of the most pressing concerns following cyberattacks is whether sensitive personal or operational data has been accessed or stolen. According to the SAA, the current focus of forensic investigations is to determine whether data has been compromised. The airline has pledged to notify affected individuals in accordance with regulatory guidelines if evidence of data detachment is revealed.
Currently, there is no confirmation that you have access to customer or employee data. However, SAA is urging customers to remain vigilant and report suspicious activity.
Continuous collaboration and commitment to cybersecurity
The SAA has continued to work closely with investigators and government authorities to understand the full scope of the case. The airline emphasized its commitment to strengthening its cybersecurity framework based on the lessons learned from the event.
“We don't turn the stones over to understand what happened and how we can prevent them in the future,” Lamora said. “This includes strengthening our systems, updating our protocols and training our teams. Our goal is to provide reliable and secure services to all our stakeholders.”
Wideer Patterns of South Africa's Cyber Threats
This SAA cyberattack is the latest in a series of cyber incidents targeting major South African organizations across sectors such as healthcare, telecommunications, agriculture and government.
In March 2025, poultry producer Astral Foods reported a cyberattack that is expected to acquire a profit of approximately R20 million (approximately $1.1 million) for its six months ending March 31st.
In 2024, National Health Laboratory Service (NHLS), a leading diagnostic service provider for public health facilities in South Africa, was also suffered a serious cyberattack. The violation forced a complete shutdown of the organization's IT systems, affecting emails, its websites, and critical lab test results systems.
The frequency and impact of these cyberattacks continues to escalate. In 2023, the Rockbit Ransomware Group was linked to attacks on South African organizations, among other countries. In a particularly well-known case of the same year, a ransomware group leaked the South African president's personal information and released some 1.6 terabytes of data allegedly stolen from the country's Department of Defense.
Additional casualties over the past two years include state banks, major energy companies, government employee pension funds, and various government-run labs. In the first few months of 2025, the attackers violated the country's weather department, the largest poultry producers and major telecommunications providers.
Most recently, Africa's largest mobile operator, Telecom Giant MTN Group, confirmed a cyber attack that published private numbers of customers' personal data.
Government response and new reporting laws
Amid growing public concern over these cyber incidents, the South African government enacted a new law in April 2025 requiring all cyber attacks to be reported to the national intelligence regulator. The rules aim to enhance monitoring of security incidents, including personal information, and ensure a faster, more coordinated response to emerging threats.
This new law is a critical step to strengthening the country's cybersecurity and increasing transparency, especially for entities that handle large amounts of sensitive data, such as SAA.
Continuous research and outlook
As SAA continues to investigate SAA cyberattacks, it focuses on ensuring digital infrastructure and maintaining public trust. Customers are encouraged to follow standard online safety practices, such as providing information via official SAA communications channels, monitoring accounts for suspicious activity and avoiding phishing.
The editorial team at Cyber Express contacted South Africa Airlines for more details, but did not receive any additional comments at the time of publication.
Although SAA's immediate response appears to effectively contain disruption, the results of ongoing research could form the company's future cyber strategies and serve as a warning substance for others.
Related
Media Disclaimer: This report is based on internal and external research obtained through a variety of means. The information provided is for reference only and the user is entirely responsible for their reliance on it. CyberExpress is not responsible for the accuracy or consequences of using this information.
