Nearly 2 000 data breaches since April spark alarm as the Information Regulator urges stronger cybersecurity and battles Big Tech over data laws.
Reported data breaches soared 40% this year, with nearly 2 000 incidents since April, raising alarm over weak cybersecurity measures.
The Information Regulator has raised deep concern about the number of compromise incidents occurring in the country.
The regulator called on both public and private sectors to invest in better data protection systems.
It urged them to develop and maintain technical and organisational measures that protect personal information.
Data breaches up 40%
These measures must ensure the integrity and confidentiality of the data they hold.
The Information Regulator revealed this on Thursday morning during a media briefing. The briefing covered high-level cases of the Protection of Personal Information Act (Popia) and other laws. It also discussed the Promotion of Access to Information Act (Paia) and legislative developments.
In the 2024-25 financial year, organisations reported 2 374 security compromise incidents (data breaches), averaging 198 notifications per month.
ALSO READ: Cyber Month: Scammers ‘hacking kindness’ – AI and ubuntu used for fraud
Since April 2025, organisations have reported 1 947 data compromises to the regulator. This equals an average of 284 notifications per month. The figure shows a 40% increase in reported security breaches.
“The regulator continues to be deeply concerned about the increased number of compromise incidents occurring in the country and calls on both the public and private sectors to make the requisite investments into developing and maintaining appropriate technical and organisational measures to secure the integrity and confidentiality of personal information in their possession,” said chairperson of the Information Regulator, Pansy Tlakula.
The Information Regulator is also in a dispute with multinational Big Tech companies. It is challenging digital platform owners such as Google LLC and Meta Inc. over Paia’s jurisdiction.
Challenges Google and Meta over access to sensitive records
Although these companies operate in South Africa, they have refused access to certain records. They argue that Paia does not apply outside South Africa’s borders.
This has given rise to a jurisdictional dispute.
Complainants requested access to records related to election classifications and risk assessments. They also sought details on how global policies are applied in South Africa.
ALSO READ: Warning to small businesses ahead of festive season and Black Friday
“We are of the firm view that Paia applies to foreign persons or companies doing business with South Africans and those who live in it, even if they are physically located elsewhere,” Tlakula said.
“To resolve this sticky question, we have sought a legal opinion on jurisdictional issues on our enforcement powers in relation to entities domiciled abroad but doing business in South Africa.”
The Information Regulator is also involved in a legal dispute with WhatsApp. The case concerns WhatsApp’s amended Privacy Policy as it applies in South Africa.
WhatsApp update violates Popia
The regulator issued an Enforcement Notice after its assessment found that WhatsApp’s 2021 Privacy Policy update violated Popia.
“While WhatsApp LLC had initiated legal action to review the decision of the regulator and have it set aside, we are happy to announce that WhatsApp LLC and the regulator have resolved the matter through a settlement agreement.”
“In terms of this Settlement Agreement, which will be made a court order, WhatsApp LLC has agreed to introduce a number of enhancements to the transparency information that it makes available to South African users.”
NOW READ: Wits University hit by cyber attack
