saa scaled
Johannesburg, South Africa – 6 May 2025 – South African Airways (SAA) announced today that it has been impacted by a significant cyber incident that began on Saturday, 3 May 2025. The breach temporarily disrupted access to the airline’s website, mobile application, and several internal operational systems, prompting swift response measures to mitigate its effects.
SAA immediately activated its robust disaster management and business continuity protocols upon detection of the incident. These swift actions successfully contained the incident and minimised disruption to core flight operations. They also ensured the continued functionality of essential customer service channels, such as the airline’s contact centers and sales offices. Normal system functionality across all affected platforms was restored later the same day.
Recognising the potential implications of such an event, SAA management swiftly initiated an investigation conducted by credible, independent digital forensic investigators to determine the root cause and full scope of the incident and explore the possibility that the disruption resulted from external cybercrime activities.
In line with its commitment to regulatory compliance and transparency, SAA has undertaken all reasonable and lawful steps as a National Key Point, including formally reporting the incident to the State Security Agency (SSA), South African Police Service (SAPS) for criminal investigation and notifying the Information Regulator of South Africa as a precautionary measure under the Protection of Personal Information Act (POPIA).
Regarding the potential impact on data, the preliminary investigation is currently assessing the full extent of the incident and actively working to determine if any data was accessed or exfiltrated. SAA is committed to notifying any affected parties directly, in accordance with regulatory requirements, should the investigation confirm a data breach.
Prof. John Lamola, Group CEO of South African Airways, provided the following assurance: “The security and integrity of our business systems and the protection of the consumer data entrusted to us remain our highest priority. In response to the cyber incident that began on May 3rd, we acted swiftly to contain the disruption, restore services, and initiate a comprehensive investigation. Our robust business continuity measures ensured operational stability, particularly for our valued customers. I want to assure all stakeholders, including our partners, customers, and dedicated employees, that we are taking every necessary step to determine the root cause of this incident, strengthen our security framework, and mitigate any potential risks. SAA remains committed to delivering safe, reliable, and resilient service.”
SAA continues to work closely with law enforcement and investigators, reaffirming its unwavering dedication to operational excellence and the integrity of its systems.
Notes:
- SAA was attacked cybernically this weekend. This is unwelcome news as the airline proposes yet another recovery plan.
- Airlines are facing increasing threats like this.
- The airline’s reaction by putting out this PR is interesting. Nothing in the note speaks to confidence that can prevent it from happening again.
- This is not the first time a cyber attack has hit South Africa. Based on recent and historical information up to 2024, several South African government institutions have experienced cyberattacks. Some notable cases include:
- Department of Justice and Constitutional Development (DoJCD)
- Date: September 2021
- Incident: A major ransomware attack crippled the department’s IT systems, affecting court operations, email communication, and internal processes.
- South African National Space Agency (SANSA)
- Date: Late 2021
- Incident: SANSA was listed as a victim by the ransomware group Everest, though limited details were disclosed publicly.
- Transnet (state-owned logistics and port operator)
- Date: July 2021
- Incident: A ransomware attack led to the declaration of force majeure at several key ports, disrupting freight and supply chains.
- South African Post Office (SAPO)
- Incident: SAPO has faced several IT disruptions, with cyber threats cited as one of the contributing factors, although details have often been limited.
- South African Revenue Service (SARS)
- Incident: While SARS has robust cybersecurity measures, it has acknowledged attempts and threats of cyber intrusions, prompting regular upgrades to its digital infrastructure.
- The airline has not mentioned a ransomware demand, which would indicate that customer or employee data has been breached. While it is commendable that the cyber attack was revealed, the lack of specifics leads to uncertainty for both.
Views: 0
