South Africa has had a busy four weeks. A 1.2 terabyte data dump from Standard Bank. A ransomware attack on a private hospital in Durban. R642 million in mule-account fraud blocked by one bank in 14 months. And the Information Regulator signalling that POPIA enforcement is about to sharpen.
This is the SA cyber threat picture every SME owner should know heading into late May 2026. Four developments. Four concrete actions to take this week.
1. Standard Bank / Liberty data dump goes public (Rootboy leak)
On 14 April 2026, a threat actor calling themselves "Rootboy" began publishing data they had stolen from Standard Bank during a three-week intrusion that started in late February. By 17 April, the public dumps included full names, SA ID numbers, drivers licence numbers, passport numbers, credit card numbers, and bulk corporate transactional data. The claimed haul is 1.2TB and roughly 154 million SQL rows.
Standard Bank confirmed on 14 April that the data was real but stressed that core banking systems were not breached. What was hit was internal admin and document infrastructure, including SharePoint, Jira, Confluence, and Oracle/MS SQL stores. The Information Regulator told the public on 28 April that it was "still assessing" and required more information from the bank.
What this means for an SA SME owner: if your business banks with Standard Bank or holds Liberty cover, your director ID numbers, signatory data, and account references may already be in criminal hands. That data will fuel targeted CEO fraud and account takeover attempts for the next 12 to 24 months.
Do this now. Phone your Standard Bank business banker and request a fresh account number plus reissued cards for any account opened before March 2026. Then enable transaction-level push notifications on every signatory's phone.
2. Ahmed Al-Kadi Private Hospital hit by ransomware (Durban)
On 18 April 2026, Ahmed Al-Kadi Private Hospital in Durban was hit by a ransomware attack. The hospital disclosed the incident publicly through IOL in early May. Systems were isolated, the Information Regulator was notified, and patients were warned to watch for suspicious communications. Patient care was reportedly not disrupted, but the scope of patient and medical record data theft is still under investigation.
This is the local story most KZN business owners should pay attention to. A mid-sized private hospital is the structural equivalent of a mid-sized SME. The attacker chose a target with sensitive data and limited downtime tolerance, exactly the profile of most professional services and healthcare practices in KZN.
For broader context on this category, our earlier deep-dives are cyber attacks on SA healthcare and what happened when a Durban medical practice paid a ransomware demand.
Do this now. Run an offline backup test this week. Restore one critical file from your backup to a clean device. If you cannot, your backup is theatre and not insurance.
3. SABRIC: R3.9 billion in banking fraud, Capitec blocks R642 million in mule activity
SABRIC's 2025 figures, released in Q1 2026, confirmed R3.9 billion in banking fraud losses for the year, a 23% increase on 2024. Phishing remains the single largest contributor to digital banking losses, and AI-generated banking communications are now "nearly indistinguishable" from genuine bank correspondence according to SABRIC.
On 2 April 2026, Capitec announced it had blocked R642 million in fraud and shut down more than 64,000 mule accounts between January 2025 and March 2026. Most mule account holders did not know they were being used.
For an SME, the mule account economy matters because it is how stolen money leaves your business. A staff member sells their identity at a taxi rank for R500. The proceeds of an EFT scam against your supplier flow through that account. SAFPS listings follow. Your payroll recipient list is now an attack surface. We cover the mechanics in are you a money mule and don't know it.
Do this now. Add a mandatory call-back rule for any new beneficiary or banking-detail change above R5,000. No exceptions, including from the managing director.
4. The Information Regulator is sharpening POPIA enforcement
On 5 May 2026, the Information Regulator presented its 2026/27 Annual Performance Plan to the Portfolio Committee. The signal was clear. Enforcement is moving from reactive to proactive, with planned compliance assessments across the public and private sector. Breach notification volumes via the eServices portal rose 40% in early 2025/26 and mandatory portal submission has been in force since 1 April 2025.
Proposed POPIA amendments under consideration would remove the "remedy first" procedural step before sanctions can apply. That means fines could land faster. The precedent is the R5 million Department of Basic Education fine over the matric results publication non-compliance, with payment confirmed in early 2026.
For the full timing and structure of a notifiable breach, see our POPIA data breach notification guide.
Do this now. If you have not formally registered an Information Officer on the Regulator's portal, do it today. Bookmark inforegulator.org.za for the breach notification page. You have 72 working hours from awareness of a compromise, not from confirmation.
What this means for Durban and KZN businesses specifically
One of these four is a Durban story. The other three each apply directly to any KZN business with a bank account, an inbox, and customer data. The pattern across all four is the same one we have flagged every month: the technology enables the attack, but a person approves the payment, ignores the warning, or skips the verification. Process beats panic.
Three things you can do this week
- Test one backup by restoring a file to a clean device.
- Add a call-back rule for any banking-detail change above R5,000.
- Register your Information Officer with the Regulator if you have not.
If you want a full assessment of your business's exposure, the controls in place, and your POPIA gap, book a cybersecurity assessment at /services/cybersecurity-assessment/. Half a day on site. R4,500.
The next monthly roundup is the May edition, out on 26 May. Reach us at [email protected] to get it straight to your inbox.
Sources
- TechCentral: Standard Bank data breach fallout deepens (Published: April 2026)
- Daily Maverick: Standard Bank is discovering the extent of the cyberattack (Published: 17 April 2026)
- ITWeb: Hackers publicly release data stolen from Standard Bank (Published: April 2026)
- IOL: Durban hospital targeted in ransomware incident (Published: 12 May 2026)
- BeyondMachines: Ahmed Al-Kadi Private Hospital ransomware attack (Published: April 2026)
- Daily Investor: Capitec stops R642 million in fraud (Published: April 2026)
- iAfrica / SABRIC: SABRIC warns of rising AI-powered fraud (Published: 2026)
- Werksmans: Information Regulator 2026/27 Annual Performance Plan (Published: 5 May 2026)
- ITWeb: Education Department issued R5m fine for POPIA violation (Published: 2026)
© 2026 Ubuntu Guard Cybersecurity | Durban, South Africa
ubuntuguard.co.za