Seventy out of every 100 South Africans have had their personal data compromised in a breach at some point - a statistic that places the country among the most persistently exposed nations on earth. New quarterly research from cybersecurity firm Surfshark confirms South Africa ranked 42nd globally in Q1 2026, with the country's cumulative breach record since 2004 standing at 45.7 million compromised accounts. The data paints a picture not of isolated incidents, but of a structural and ongoing failure to protect citizens' digital identities.
The Scale of Exposure
Globally, 210.3 million accounts were breached in the first quarter of 2026 alone. The United States accounted for 29% of that total, followed by France, India, Brazil, and the United Kingdom. South Africa, ranked second in Africa behind an unnamed leader, contributed to a regional pattern of elevated vulnerability that has persisted for two decades.
Of South Africa's 45.7 million historically compromised accounts, 13.3 million involved exposed e-mail addresses and 22.9 million involved leaked passwords. That password exposure figure is particularly significant: it places roughly half of all breached South African users at direct risk of account takeover - and with it, identity theft, extortion, and a range of downstream financial crimes. Usernames, at 12 million exposures, represent the second most commonly compromised data point. Beyond credentials, breached records frequently include identity numbers, payment card details, phone numbers, and physical addresses.
Surfshark defines a breached account as a single online account tied to an e-mail address that has appeared in publicly available databases, potentially accompanied by additional personal information. The methodology is conservative - meaning the real-world impact may be broader than the figures suggest.
Why the Risk Does Not Expire
One of the most consequential aspects of data breaches is their permanence. Once information is leaked, it does not simply become obsolete. According to Tomas Stamulis, chief security officer at Surfshark, leaked data is packaged into "combo lists," merged with new breach datasets, and resold repeatedly on dark web markets. "Even after 10 or 20 years, leaked data is still valuable and can be used against a user to commit fraud, gain access to more data and steal money," he notes. This means that a breach from years ago - a stolen password, an exposed identity number - can resurface as the basis of a new attack long after the original incident has been forgotten.
Cybersecurity experts have confirmed to industry media that stolen South African credentials are being sold on dark web platforms for as little as R100. The criminal ecosystem operates with the efficiency of a commercial marketplace: resources are catalogued, priced, and distributed to buyers who may have no technical skills of their own.
Roy Alves, sales director at managed security services provider J2 Software, makes the point plainly. Most organisations are not being breached through sophisticated zero-day exploits. They are being accessed through weak credentials, misconfigured systems, and unmonitored entry points. "The uncomfortable truth is this: most organisations are not being hacked, they are being quietly accessed through doors they didn't even realise were open," he says. Reused passwords, incomplete multi-factor authentication, and poor identity governance continue to provide low-effort access for attackers - failures that are preventable, not inevitable.
AI Adoption Is Widening the Attack Surface
The rapid expansion of artificial intelligence across businesses adds measurable complexity to an already strained security environment. Surfshark cites OECD data showing that 20.2% of companies reported using AI in 2025, up from 8.7% in 2023 - more than doubling in two years. As AI systems are integrated into operations, they collect and log more detailed user information for automation, analytics, and model training. Every additional platform, every new integration, represents another system to secure and another potential point of failure.
Alves flags the parallel problem of shadow IT: employees and business units deploying software-as-a-service tools, automation workflows, and AI integrations without security oversight. These technologies frequently bypass governance processes entirely, creating unmanaged access points that security teams may never know exist.
Stamulis describes the compounding effect clearly. As companies adopt AI, they store more user data, expand their digital infrastructure, and integrate more platforms. "While this improves the company's efficiency, it also means there are many more systems for businesses to secure, more opportunities for error, and more points where sensitive information can be exposed."
A Systemic Problem That Demands Executive Ownership
South Africa's breach record reflects more than opportunistic attacks. Hendrik de Bruin, head of security consulting for Africa at Check Point Software Technologies, describes it as a persistent and systemic failure. "Being placed 42nd globally and second in Africa indicates that while awareness of cyber risk has improved, execution has not kept pace," he says. Organisations remain largely reactive. Security controls are unevenly applied, legacy systems stay exposed, and basic hygiene measures - identity management, vulnerability patching, incident response - are inconsistently implemented, particularly outside the financial sector.
South Africa's Protection of Personal Information Act (POPIA) has created a legal framework for accountability, but de Bruin notes that enforcement and operational maturity continue to lag well behind attacker capabilities. Legislation, without the organisational will and resources to implement it, does not translate into reduced exposure.
Recent incidents underscore the point. In March 2026, Standard Bank notified business clients of a breach exposing account numbers, ID and registration numbers, and limited account information - data that was subsequently released publicly by the attackers. Standard Bank's subsidiary Liberty also suffered a breach the same month. Statistics South Africa confirmed hackers accessed its systems, with a group demanding R1.7 million in ransom for 154GB of data. In April, Polmed, the medical aid scheme for South African Police Service members, confirmed a suspected breach following a ransom demand. The incidents span the financial sector, a government statistics agency, and a police service benefit fund - institutions that collectively hold some of the most sensitive personal information in the country.
De Bruin's conclusion is direct: until cybersecurity is treated as a board-level business risk - owned at executive level and backed by sustained investment in people, processes, and technology - South Africa will remain an attractive target. The data accumulated over two decades makes that case without ambiguity.
