South African Airways (SAA) has confirmed that it was the target of a significant cyber incident that commenced on Saturday, 3 May 2025. This breach temporarily disrupted access to the airline’s official website, mobile application, and several internal operational systems, prompting urgent measures to contain the situation.
Upon detecting the cyber incident, SAA promptly activated its well-established disaster management and business continuity protocols. The airline stated, “These swift actions successfully contained the incident and minimised disruption to core flight operations.” Essential service channels, such as contact centres and sales offices, remained fully operational during the disruption. Remarkably, normal system functionality across all affected platforms was restored later that same day, showcasing the airline’s robust crisis management capabilities.
In recognition of the severity of the breach, SAA has taken immediate steps to investigate the incident. Management has engaged credible, independent digital forensic investigators to delve into the root cause and full scope of the breach, including examining whether the disruption stemmed from external cybercrime activities. Demonstrating its commitment to regulatory compliance and transparency, SAA has reported the incident to multiple authorities, including the State Security Agency (SSA) and the South African Police Service (SAPS), in line with the duties of a National Key Point. Additionally, notifications have been sent to the Information Regulator of South Africa under the Protection of Personal Information Act (POPIA) as a precautionary measure.
Addressing potential concerns regarding data security, SAA has begun a preliminary investigation to assess the incident’s impact, specifically analysing whether any user data was accessed or exfiltrated during the breach. The airline has assured that they will notify affected parties directly depending on the investigation’s findings. SAA Group CEO John Lamola provided vital assurances regarding SAA’s commitment to security: “The security and integrity of our business systems and the protection of the consumer data entrusted to us remain our highest priority. We are taking every necessary step to determine the root cause of this incident, strengthen our security framework, and mitigate any potential risks.”
Furthermore, Lamola emphasised the ongoing collaboration with law enforcement and investigators to uphold operational excellence and system integrity. The SAA cyber incident comes as South African organisations are increasingly targeted by cyber criminals. Mobile operators Cell C and MTN are some of the latest victims to be hit by cyber attacks.
South Africa is the most targeted country in Africa when it comes to infostealer and ransomware attacks, according to global cybersecurity company ESET’s bi-annual Threat Report. Data and expert insight collected between June and November 2024 revealed that over 40% of ransomware attacks, and just under 35% of infostealer incidents on the continent occurred in South Africa.
In recent months, a slew of companies and government agencies in South Africa have suffered data breaches and leaks. For example, the South African Weather Services were disrupted earlier this year by a ransomware gang, and tax compliance service provider Govchain suffered a data breach at the start of 2025. Additionally, a data leak allowed a company called Edumarks to release students’ matric results early in January 2025, while Claim Expert informed customers that it had suffered a leak, exposing the data of over 100,000 people.
In February 2025, the Auditor-General flagged possible fraud at the Compensation Fund, involving alleged hacking of user accounts to steal money. March saw data breaches reported by South Africa’s largest real estate agency, Pam Golding, and the country’s largest chicken producer, Astral Foods. Moreover, fraudsters had stolen identities to register for the Social Relief of Distress (SRD) grant in the names of unsuspecting individuals, a matter that continues to unfold.
As the investigation into the SAA cyber incident continues, the airline assures its customers and stakeholders that it is committed to maintaining the highest standards of security and operational integrity. The swift actions taken by SAA to mitigate the impact of the cyber incident reflect the airline’s dedication to safeguarding its systems and customer data.
In conclusion, the SAA cyber incident underscores the growing threat of cybercrime in South Africa, prompting a renewed focus on cybersecurity measures across various sectors. As investigations unfold, the airline remains vigilant in its efforts to protect its operations and customer information.
