South African Airways (SAA), the country’s flag carrier, has confirmed that it suffered a significant cyber incident on Saturday, May 3, 2025. The SAA data breach caused temporary disruptions to its website, mobile application, and certain internal systems. However, swift response measures were implemented, allowing the airline to restore normal operations by the end of the same day.
In a statement issued by the airline, SAA noted that it had immediately activated its disaster management and business continuity protocols upon discovering the incident. These proactive measures ensured that the airline’s core flight operations remained stable and that essential customer service platforms such as contact centers and sales offices continued functioning without interruption.
“Our response team acted swiftly to contain the disruption and initiate a comprehensive investigation,” said Prof. John Lamola, Group CEO of South African Airways. “The security and integrity of our systems and the protection of customer data remain our top priorities. We are working diligently to assess the impact of the incident and to reinforce our cybersecurity posture.”
SAA Data Breach: Independent Investigation and Government Involvement
Shortly after containing the incident, SAA brought in independent digital forensic investigators to determine the root cause and assess the full extent of the breach. While the investigation is ongoing, early indications suggest that the disruption may have been the result of external cybercriminal activity.
Given its designation as a National Key Point, SAA is legally bound to follow strict protocols during such incidents. In compliance with these obligations, the airline has reported the event to the South African State Security Agency (SSA) and the South African Police Service (SAPS), which have initiated a criminal investigation.
Additionally, as a precaution under the Protection of Personal Information Act (POPIA), the airline has informed the Information Regulator of South Africa.
Potential Data Exposure Under Review
One of the most pressing concerns following any cyberattack is whether sensitive personal or operational data was accessed or stolen. According to SAA, the current focus of the forensic investigation is to determine if any data was compromised. The airline has pledged to notify affected individuals in accordance with regulatory guidelines, should any evidence of data exfiltration come to light.
As of now, there has been no confirmation that customer or employee data has been accessed. However, SAA is urging customers to remain vigilant and report any suspicious activity.
Ongoing Collaboration and Commitment to Cybersecurity
SAA is continuing to work closely with investigators and government authorities to understand the full scope of the incident. The airline emphasized that it is committed to enhancing its cybersecurity framework based on the lessons learned from this event.
“We will leave no stone unturned in understanding what happened and how we can prevent it in the future,” said Lamola. “This includes strengthening our systems, updating protocols, and training our teams. Our goal is to deliver reliable and secure service to all our stakeholders.”
A Broader Pattern of Cyber Threats in South Africa
This cyberattack on SAA is the latest in a string of cyber incidents targeting major South African organizations across sectors such as healthcare, telecommunications, agriculture, and government.
In March 2025, poultry producer Astral Foods reported a cyberattack that disrupted its operations and was expected to cost the company approximately 20 million rand (about $1.1 million USD) in profits for the six-month period ending March 31. The company took swift measures to mitigate the damage and resume operations.
In 2024, the National Health Laboratory Service (NHLS), South Africa’s key diagnostic service provider for public health facilities, also suffered a severe cyberattack. That breach forced a full shutdown of the organization’s IT systems, affecting emails, its website, and critical lab test result systems.
The frequency and impact of these cyberattacks have continued to escalate. In 2023, the LockBit ransomware group was linked to attacks on organizations in South Africa, among other countries. In a particularly high-profile case that same year, a ransomware group leaked personal details of South Africa’s president and released part of the 1.6 terabytes of data allegedly stolen from the country’s defense department.
Additional victims over the last two years have included a state-owned bank, a major energy company, the Government Employees Pension Fund, and various government-run laboratories. Just in the first few months of 2025, attackers have breached the country’s weather service, its largest poultry producer, and a leading telecommunications provider.
Most recently, telecom giant MTN Group, Africa’s largest mobile operator, confirmed a cyberattack that exposed personal data of an undisclosed number of its customers.
Government Response and New Reporting Laws
Amid growing public concern over these cyber incidents, the South African government enacted a new law in April 2025 mandating that all cyberattacks be reported to the country’s Information Regulator. The regulation aims to strengthen the monitoring of security incidents involving personal information and ensure quicker, more coordinated responses to emerging threats.
The new law is a significant step in reinforcing national cybersecurity and improving transparency, especially for entities that handle large volumes of sensitive data, like SAA.
Ongoing Investigation and Outlook
As SAA continues to investigate the SAA cyberattack, it remains focused on securing its digital infrastructure and maintaining public trust. Customers are advised to stay informed via official SAA communication channels and to follow standard online safety practices, such as monitoring their accounts for suspicious activity and avoiding phishing scams.
The Cyber Express editorial team has reached out to South African Airways for further details, but no additional comment has been received as of the time of publication.
While SAA’s immediate response appears to have effectively contained the disruption, the outcome of the ongoing investigation will likely shape the company’s future cyber strategy—and serve as a cautionary tale for others.
