Standard Bank has acknowledged that client data stolen in a cyber incident first disclosed on 23 March 2026 “now appears to have been published” online, marking a significant escalation in what appears to be one of South Africa’s most serious financial services data breaches.
The data involved includes client names, ID and company registration numbers, contact details and account numbers, the bank said in an updated statement. A limited set of client credit card details, including card numbers and expiry dates, was previously confirmed as affected. CVV numbers were not compromised.
The bank said affected cards were being proactively replaced and that it was communicating directly with impacted clients.
“We can confirm that, in a limited number of cases, the affected information also includes credit card details, specifically card number and expiry date. We are communicating directly with those clients and proactively replacing their cards as a precaution. CVV numbers are not impacted,” Standard Bank spokesman Ross Linstrom said in response to a query on Thursday from TechCentral.
A threat actor reportedly using the handle “ROOTBOY” has reportedly claimed responsibility for the breach on a dark web forum, saying they spent roughly three weeks inside the bank’s network from late February before exfiltrating about 1.2TB of data. According to the claims, reported by MyBroadband, the attacker is demanding payment of one bitcoin to stop further data being released.
Ransom?
Standard Bank did not respond to TechCentral’s questions about whether any ransom demand has been made or paid. The bank said it has complied with applicable regulatory notification requirements and is cooperating with authorities.
Standard Bank’s life insurance and investment subsidiary, Liberty Group, disclosed its own data breach on 24 March, a day after the Standard Bank disclosure. At the time, Liberty said it had detected “unauthorised third-party access” to some of its systems and that its services remained fully operational.
Read: Africa bears the brunt of global ransomware attacks
Liberty CEO Yuresh Maharaj said the company’s core systems were unaffected and that a full investigation, supported by external experts, had been launched.
Standard Bank has previously confirmed that the two incidents are related but involve separate legal entities and different datasets.
Standard Bank said it has put enhanced monitoring of credit bureau activity, additional transaction monitoring and fraud detection across its platforms in place to protect affected clients.
The bank is urging customers to update their banking passwords, enable biometric authentication on the Standard Bank mobile banking app, use strong unique passwords, and register for protective registration with the Southern African Fraud Prevention Service – a free service that flags attempted applications for banking products using a registered ID number.
Read: Ransomware attackers claim hit on Methodist Church of Southern Africa
Clients unsure whether they are affected have been advised to contact the bank via its usual channels. Dedicated lines for the incident are 0860 123 000 for personal and private banking clients and 0860 109 075 for business banking clients. Corporate and investment banking clients have been told to contact their relationship managers.
Standard Bank has not said how many clients are affected.
The Information Regulator did not immediately respond to a request for comment on the latest developments. – (c) 2026 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.