South Africa’s Standard Bank, Africa’s largest bank by assets, and its insurance subsidiary Liberty have both confirmed data breaches affecting client personal information, with the incidents first disclosed in late March 2026. Now a threat actor is claiming to have maintained persistent access to both organizations’ systems for over 3 weeks in February and is beginning to release what it describes as 1.2 terabytes of data containing 154 million rows of SQL records. Neither Standard Bank nor Liberty had issued any public statement addressing the new claim at time of publication.
What Standard Bank and Liberty Confirmed
Liberty was first to disclose, notifying clients via SMS on March 23, 2026 that it had detected unauthorized third-party access to select data systems. CEO Yuresh Maharaj confirmed the breach in a public statement, saying the company had taken immediate steps to contain and mitigate the impact and that client policies and investments remained secure. Affected data reportedly includes names, surnames, and identity numbers. Liberty has approximately 3.2 million customers across the African continent.
Standard Bank subsequently notified affected business clients via email that unauthorized access had occurred to certain data within its environment. The bank confirmed exposed records include account numbers, limited account information, business names, and ID or registration numbers. In a more significant disclosure, The Citizen reported that in a limited number of cases, the exposed data also includes credit card numbers and expiry dates, though CVV numbers were not impacted. Standard Bank said it is replacing affected cards and that its transactional banking systems were not accessed and remain secure.
Both organizations reported the incidents to South Africa’s Information Regulator, which subsequently requested an urgent meeting with Liberty’s leadership to assess the scope of the breach. Under South Africa’s Protection of Personal Information Act (POPIA), organizations that suffer a security compromise involving personal information are required to notify both the Information Regulator and affected individuals as soon as reasonably possible. Given that credit card numbers were exposed in some cases, the scope of those obligations extends into financial data territory where the risk of downstream fraud is immediate. Standard Bank has declined to confirm whether the two incidents are connected.
New Claim Escalates the Picture
A post published today on a cybercrime forum claims the actor had persistent access to both Standard Bank and Liberty systems for just over 3 weeks in late February 2026, moving through SharePoint, OneDrive, PowerApps, AppDynamics, Jira, Confluence, Citrix, Remedy, Microsoft and Oracle SQL databases, and a number of native applications. The post claims 1.2TB of data including 154 million rows of SQL records was exfiltrated and states the data is now being released in piecemeal batches via a dedicated Tor site. The timing of the claimed access window aligns with the February period preceding the March disclosures from both organizations, and the data types described are consistent with what Standard Bank and Liberty have confirmed was accessed. BreachNews is not linking to the forum post, the Tor site, or any data release location.
Liberty’s Prior Breach and a Pattern of Incidents
This is not Liberty’s first significant security incident. In 2018, Liberty suffered a breach described at the time as potentially one of the most damaging in South African corporate history, with attackers accessing approximately 40GB of data including emails and client documents. The broader Standard Bank group has faced a string of security and operational failures since then. In November 2024, an employee with authorized access was caught copying client data to an unprotected personal device. In July 2024, widespread fraud complaints prompted the bank to temporarily block transactions in Brazil. A December 2025 outage disrupted the group’s mobile banking app for several hours. South African financial institutions are not alone in facing this pressure — Lloyds Banking Group exposed 447,000 customer accounts in a separate incident earlier this year, reflecting a sustained global wave of attacks targeting financial infrastructure.
South African organizations face an average of more than 2,000 cyberattacks per week according to industry data, with financial services among the most targeted sectors on the continent. Affected Standard Bank and Liberty clients are advised to monitor their accounts closely and contact their institution only through official channels. Standard Bank has urged clients to report suspicious emails to phishing@standardbank.co.za and to remain alert for SIM-swap indicators such as sudden loss of network signal or missing one-time passwords. For broader guidance on responding to a breach notification, see our data breach response guide.
