South African Airways (SAA) acknowledged that on Saturday, May 3, 2025, a cyberattack occurred that momentarily interfered with its website, mobile application, and a few internal systems.
In a statement on May 6, the airline said it had activated its business continuity and disaster recovery procedures, restoring critical services that same day and continuing flights and customer service without interruption.
“Our response team acted swiftly to contain the disruption and initiate a comprehensive investigation,” said John Lamola, Group CEO of South African Airways. “The security and integrity of our systems and the protection of customer data remain our top priorities. We are working diligently to assess the impact of the incident and to reinforce our cybersecurity posture.”
The incident is thought to have involved external cybercriminals, and its origin and extent have been investigated with the help of independent digital forensic specialists. According to data protection and national security regulations, the airline notified the Information Regulator, the South African Police Service, and the State Security Agency about the breach.
Investigators are yet to determine whether any information was stolen or accessed. If a breach is confirmed, SAA has promised to notify those who may be impacted.
Investigation to evaluate full scope of cybersecurity breach
SAA hired independent digital forensic investigators shortly after the incident was contained to identify the underlying cause and evaluate the full scope of the breach. Although the investigation is still ongoing, preliminary findings point to the possibility that external cybercriminal activity caused the disruption.
As a National Key Point, SAA is required by law to adhere to stringent procedures in the event of such an incident. The airline has notified the South African State Security Agency (SSA) and the South African Police Service (SAPS) of the incident in accordance with these duties, and they have opened a criminal investigation.
The airline has also notified the Information Regulator of South Africa in accordance with the Protection of Personal Information Act (POPIA) as a precaution.
Aftermath cyberattack
Whether sensitive personal or operational data was accessed or stolen is one of the most urgent questions that arise after any cyberattack. Finding out if any data was compromised is the current goal of the forensic investigation, according to SAA. In the event that there is any indication of data exfiltration, the airline has promised to notify the affected parties in compliance with legal requirements.
There is currently no proof that employee or customer data has been accessed. Customers are being advised by SAA to report any suspicious activity and to exercise caution.
“We will leave no stone unturned in understanding what happened and how we can prevent it in the future,” said Lamola. “This includes strengthening our systems, updating protocols, and training our teams. Our goal is to deliver reliable and secure service to all our stakeholders.”
Pattern of cyberattacks in South Africa
The SAA hack is the most recent in a series of cyberattacks that have targeted significant South African organisations in industries, including government, telecommunications, healthcare, and agriculture.
Poultry manufacturer Astral Foods announced a cyberattack in March 2025 that caused operational disruptions and was estimated to have cost the business about 20 million rand (roughly $1.1 million USD) in profits for the six months ending March 31. The business acted quickly to minimise the harm and get back to business as usual.
Over the past two years, other victims have included the Government Employees Pension Fund, a large energy company, a state-owned bank, and several government-run laboratories. The nation’s largest poultry producer, a major telecommunications provider, and a weather service have all been compromised in the first few months of 2025.
The biggest mobile operator in Africa, MTN Group, most recently acknowledged a cyberattack that exposed the personal information of an unspecified number of its users.
A serious cyberattack also targeted South Africa’s primary diagnostic service provider for public health facilities, the National Health Laboratory Service (NHLS), in 2024. The organisation’s website, emails, and vital lab test result systems were all impacted by the breach, which compelled a complete shutdown of its IT infrastructure.
These cyberattacks have become more frequent and have a greater impact. The LockBit ransomware group was implicated in attacks on South Africa’s and other countries’ organisations in 2023. In a particularly well-known case that same year, a ransomware group released a portion of the 1.6 terabytes of data purportedly taken from the South African defence department, along with the personal information of the president of South Africa.
Law to tame waves of cyberattack in South Africa
The South African government passed a new law in April 2025 requiring that all cyberattacks be reported to the nation’s Information Regulator in response to the public’s growing concern over these cyber incidents. The goal of the rule is to guarantee prompt, better-coordinated reactions to new threats and to improve the monitoring of security events involving personal data.
The new law is a big step towards increasing transparency and strengthening national cybersecurity, especially for organisations like SAA that deal with a lot of sensitive data.
South African Airways’ commitment to protect digital infrastructure
SAA is still committed to protecting its digital infrastructure and upholding public confidence while it looks into the SAA cyberattack. Customers are encouraged to follow standard online safety procedures, like keeping an eye on their accounts for questionable activity and avoiding phishing scams, and to stay informed through official SAA communication channels.
Although the disruption seems to have been successfully contained by SAA’s quick response, the results of the ongoing investigation will probably influence the company’s future cyber strategy and serve as a warning to others.
