Standard Bank South Africa and its insurance subsidiary, Liberty Group, have confirmed a data security incident involving unauthorised access to selected client personal information. The breach, which was initially detected in late March 2026, has prompted internal investigations and scrutiny from the Information Regulator of South Africa. Both financial institutions have stated that their core transactional and operational systems remain secure and unaffected by the incident.
Scope of the Breach
On March 23, 2026, Standard Bank released an initial statement notifying the public of unauthorised access to client data. In subsequent updates provided into April, the bank clarified the specific nature of the compromised information. According to the institution, the accessed data varies among individuals but generally includes names, identity numbers, company registration numbers, and in some cases, contact details such as email addresses and phone numbers. Account numbers for select clients were also confirmed as affected by mid-April.
Standard Bank has emphasised that its primary banking platforms were not infiltrated. Customer funds and investments remain entirely secure, and the bank has noted that there is currently no evidence to suggest the misused data has led to direct financial loss. The institution has begun the process of directly contacting customers whose information was exposed in the incident, working alongside external cybersecurity experts to trace the exact source of the access.
Liberty Group Impact
The data breach also affected Liberty Group, an insurance and asset management subsidiary fully acquired by Standard Bank in recent years. Liberty detected unauthorised third-party access to its own select data systems around the same period. Yuresh Maharaj, CEO of Insurance and Asset Management at Standard Bank, confirmed the breach at Liberty, stating that immediate steps were taken to contain and mitigate the impact.
Similar to the parent company, Liberty has assured its policyholders that all policies and investments are completely secure. The subsidiary sent SMS notifications to affected clients, reiterating that normal services and operations continue without interruption. Both entities have enlisted the assistance of external cybersecurity experts to conduct full investigations into the origins and methods of the unauthorised access.
Regulatory Oversight
The Information Regulator of South Africa is actively assessing the data breach to determine if Standard Bank and Liberty Group complied with the Protection of Personal Information Act. The regulatory body has requested additional transparency from the institutions regarding the full extent of the compromise.
Advocate Tshepo Boikanyo, an executive at the Information Regulator, indicated that the probe will evaluate the bank’s access control measures, user authentication protocols, encryption standards, and overall network security systems. The regulator aims to ascertain whether adequate protective measures were in place to foresee and mitigate potential risks to personal information. Depending on the findings, the Information Regulator will decide on appropriate administrative actions or notices.
Customer Safeguards and Risks
While banking systems remain secure, Standard Bank has cautioned clients about the increased risk of secondary cyber threats. The exposed information, specifically identity numbers and contact details, can be exploited by malicious actors to conduct targeted phishing attacks or impersonation fraud. Cybercriminals often use specific leaked information to craft unique attacks designed to convince victims to input banking details into fraudulent websites.
The bank is advising all customers to exercise heightened vigilance when receiving unsolicited communications. Clients are urged to verify any unexpected calls, emails, or text messages requesting sensitive information. Standard Bank has recommended several preventative measures for its user base:
- Update Passwords: Change login details on digital banking profiles immediately.
- Enable Authentication: Turn on two-factor or biometric authentication on mobile applications.
- Verify Sources: Avoid clicking on suspicious web links or downloading unfamiliar attachments.
Furthermore, the institution suggests registering for protective services through the Southern African Fraud Prevention Service. This free service helps prevent unauthorized individuals from opening new credit or banking accounts using stolen identity numbers. Customers who notice any irregular activity on their accounts are instructed to contact Standard Bank immediately to prevent further unauthorized activity. The bank reiterated that protecting customer privacy remains a top priority as the investigation continues.
