Cybersecurity breaches remained a persistent thorn in the side of African companies in 2025, but the major highlights from the year weren’t the headline attacks. Institutions lost the luxury of keeping breaches quiet as cyberattacks became harder to hide.
Several African countries tightened the breach-reporting guidelines for operators. Chief among them is Algeria, which mandated a 5-day window for companies to report breaches or pay heavy fines. Kenya and South Africa also made significant strides in forcing organisations to treat breaches as public events rather than private IT problems.
In Kenya, operators that discover a potential breach are now expected to alert data controllers within 48 hours, and controllers are pushed to file a preliminary report to the Office of the Data Protection Commissioner (ODPC) within 72 hours—even if the full facts are not yet in. Late notifications must be justified, and new guidance from the regulator ties weak security and poor reporting directly to fines, sanctions, and even the risk of losing the right to process data. For Kenyan firms, that means the old instinct to “wait until we know more” now carries regulatory risk of its own.
South Africa also overhauled its breach‑reporting process. While the Protection of Personal Information Act (POPIA) had long required organisations to notify both the regulator and affected people after a “security compromise,” in 2025, the Information Regulator tightened how that duty works in practice. In April, it mandated companies to log breaches through an online reporting portal using a form, forcing operators to spell out what happened, what data was involved, what they are doing to contain it, and what individuals should do to protect themselves.
According to South Africa’s Information Regulator, there were 2,374 reported breaches in the 2024/25 financial year, with 82% of them occurring after April 2025. The number pointed to an acceleration, but also hinted that disclosure was becoming unavoidable.
Elsewhere, Zambia chose to treat cybersecurity as a critical‑infrastructure issue rather than a back‑office concern. In April 2025, the country split its cyber law into two: a Cyber Security Act governing security service providers and critical information infrastructure, and a Cyber Crimes Act dealing with offences and penalties. Operators in sectors such as energy, banking and finance, health, transport, pensions and insurance, ICT, education, mining, and other designated public‑sector services can now be classified as controllers of “critical information” or “critical information infrastructure,” bringing them under a tighter supervisory net.
That designation comes with hard obligations: controllers must register with the new Zambia Cyber Security Agency, keep designated critical information hosted in Zambia unless expressly authorised to store it elsewhere, and promptly notify the agency of any perceived or actual cybersecurity incident affecting those systems or connected networks. They are also required to undergo annual audits, file cybersecurity situational-awareness reports, and participate in national cyber-exercises, with non-compliance punishable by fines of up to ZMW 1.2 million ($48,000) and, in serious cases, prison terms that can extend up to 10 years.
These regulatory shifts forced the disclosure of some of the most consequential breaches in 2025. At a new scale, they made visible how intrusions disrupt everyday customer services in very public ways.
Exposure as a strategy
If 2024 gave us the unfortunate breach at South Africa’s National Health Laboratory Service (NHLS), the biggest healthcare incident in 2025 was Kenya’s M-TIBA breach in October. Like a trophy showcase, hackers published the siphoned data on public Telegram channels, a pattern used to force organisations to comply with ransom demands. Organisations that hold sensitive customer data remained heavily targeted businesses in 2025.
Telecom firms, once assumed to be resilient by virtue of scale, became some of the most lucrative targets. Telecom Namibia, a state-owned provider, was quietly crippled by a ransomware attack in December 2024, with a public fallout that continued in January 2025. When the company refused to pay, attackers leaked sensitive billing data belonging to senior government officials in an attempt to force compliance.
On January 8, hackers hit mobile operator Cell C with a cybersecurity breach, with reports stating that perpetrators, RansomHouse, had “unlawfully disclosed the incident” and published stolen customer data on the dark web, exposing them to fraud and extortion.
In April, MTN Group disclosed a data breach affecting its South African subscribers. In Ghana, at least 5,700 MTN customers were directly affected in a breach reported on April 28. In South Africa, the breach escalated into a criminal investigation. The message to the industry was unmistakable: Telecoms had become identity vaults, and those vaults were being tested.
Hackers maintained their exhibitionist posture, and several other sensitive data organisations were hit. In January 2025, a cyberattack on the South African Weather Service (SAWS) knocked key systems offline, disrupting the delivery of aviation and marine forecasts and limiting access to critical weather information at home and across the region. In July, the municipal systems of Otjiwarongo, a quiet town in central Namibia, were knocked offline. Residents were blocked from accessing basic services as officials struggled to explain what had happened.
The year’s most consequential infrastructure breach involved South Africa’s Eskom, the state-owned power company, and it became a crowning moment of the exposure era—one that attached a clear financial cost to a cyber incident.
In December 2024, the power utility detailed how its Online Vending System (OVS)—the platform used to generate prepaid electricity tokens—had been breached the previous year, after a forensic investigation linked large “non-technical” losses to fraud on the system.
The breach itself occurred in 2024, but only surfaced publicly in December, when Eskom acknowledged that criminals had exploited weaknesses in its vending platform to generate large volumes of fraudulent yet technically valid tokens. MyBroadBand, a local media publication, reported in November 2025 that Eskom employees, either acting as colluders or as orchestrators of the scheme, took advantage of the compromised system to create and sell fake power tokens, allegedly stealing between R657 million and R1.1 billion ($39.5 million–$66 million) from the company.
By September 2025, Eskom reported that fraud linked to the OVS breach had been reduced to “very low levels of activity.” The incident did something damaging: it made internal failure, financial loss, and delayed disclosure visible at once, underscoring how difficult it had become for institutions to keep breaches quiet.
Espionage?
State‑linked groups such as Salt Typhoon, associated with China, have targeted telecommunications providers—including at least one in South Africa, according to researchers at Recorded Future—seeking access not to cause disruption but to observe. Metadata, call records, network access—the architecture of daily life—proved more valuable than any single database.
These attacks rarely produced headlines. They did not need to. Their success lay in remaining largely invisible.
In South Africa, allegations surfaced in September that the State Security Agency (SSA) had been breached by a suspected Chinese-linked group known as RedNovember. Officials denied the intrusion, saying they investigated the claims and found no evidence of such a breach. Yet the matter remains a public spectacle on how espionage could be the objective for RedNovember, a group notorious for targeting high-profile governments and intergovernmental organisations (IGOs). RedNovember did not issue any statement on the alleged SSA breach.
At the same time, ransomware groups turned toward infrastructure: ports, utilities, logistics systems. In South Africa alone, ransomware- and cybercrime-related losses were estimated at $120 million annually.
Elsewhere on the continent, Senegal’s tax authority was hit by ransomware that threatened to erase and leak sensitive fiscal records. On October 2, Senegal’s Directorate General of Taxes and Domains (DGID), a department of the Ministry of Economy, Finance, and Planning—responsible for tax and land policies and administration in the country—issued a statement denying the alleged attack, and framing it as a temporary technical glitch; with that move, the government opted for quiet containment and recovery. Yet the episode exposed the fragility of digital tax systems that underpin state revenue.
Similar pressures were visible across East Africa. Kenya’s national incident response team recorded over 842 million attempted cyber intrusions in Q3 2025, most targeting government login portals and internet service providers. In Ethiopia and several other countries in the region, repeated distributed denial of service (DDoS) attacks aimed at telecom infrastructure remained a persistent thorn. These attacks were stress tests on states digitising faster than they could defend.
The new confidence trick
In 2025, people also stopped trusting voices.
AI-driven social engineering matured quickly. The fear of finance managers receiving calls that sounded exactly like their CEOs or video meetings featuring faces that blinked and nodded with unsettling accuracy increased. Traditional warning signs—bad grammar, strange domains—no longer apply.
West Africa’s long-running role as a hub for Business Email Compromise (BEC) hardened into something more industrial. Crime syndicates like Black Axe ran operations that were transnational, disciplined, and lucrative. Reports of digital sextortion—often involving AI-generated images used to blackmail victims—also surged.
Nigeria illustrated how cybercrime blended with insider abuse. At Access Bank, the country’s biggest bank by assets, investigators alleged that staff colluded to divert ₦826 million ($569,345) through a fake internal revenue account. It was not a breach in the conventional sense, but it underscored another reality of 2025: the most damaging compromises also came from willing, and even unwitting insiders.
Arrests, laws, and the theatre of response
There were moments of resolve. In a coordinated operation, INTERPOL arrested 1,209 cybercriminals across 18 African countries. Regulators also began flexing their muscles. The Nigeria Data Protection Commission (NDPC), the country’s data privacy regulator, fined MultiChoice, the South African multinational media company, ₦766 million ($528,000) for failing to adequately protect consumer data. It signalled to African organisations that poor data stewardship would carry real financial consequences.
In North Africa, a wave of cyber incidents unfolded over several weeks in April. The sequence began when Moroccan-linked hackers allegedly compromised the X account of Algeria’s state news agency. TechCabal’s checks showed that the account was taken over in April and renamed to ‘Sahara Marocain,’ in what appeared to be a deliberate attempt to provoke.
On April 8, pro-Algerian group Jabaroot hit back. It reportedly hacked Morocco’s National Social Security Fund, directly framing it as retaliation. The disclosed breach exposed tens of thousands of files containing personal and financial information of nearly 2 million citizens.
While officials disputed some of the leaked material, large portions of the data reportedly appeared on public Telegram channels. Soon after, the hacktivist group Jabaroot defaced Morocco’s Ministry of Labour website, citing retaliation for online attacks against Algerian media. The escalating tit-for-tat of digital reprisals underscored how cyber operations have become weapons of digital skirmishes, leaving civilians’ data as collateral damage.
What 2025 left behind
Between 2019 and 2025, Africa lost more than $3 billion to cybercrime, according to INTERPOL. The figure only captures money and not lost confidence following such attacks. The agency also noted that detection and response capabilities across the continent remain limited, lagging behind the pace and scale of emerging threats, and signalling an investment gap.
According to INTERPOL’s Africa Cyberthreat Assessment report, 90% of African businesses operate without adequate cybersecurity protocols in place. The same report notes that only 30% of African countries have an incident reporting system, underscoring persistent underreporting and structural gaps in how cyber incidents are captured.
Across much of Africa, cybersecurity spending has tended to cluster around basic perimeter tools and compliance-driven controls, while more advanced capabilities—continuous monitoring, threat hunting, assessments, testing, and controls—remain underdeveloped in many sectors outside large banks and telecom operators.
A report by PwC, a global consulting firm, showed that only 28% of South African organisations are spending significantly more on proactive measures than reactive measures (such as incident response, fines, recovery). Globally, that figure is closer to 70%, yet most African organisations are not close to that mark.
Without stronger defences, the threats will spill over to 2026. Hackers are timing, striking when systems are already strained. Global blockchain startups are also discovering that smart contracts, accounting for $29 million in damages, fail just as human ones do. Information security analysts have become some of the most sought-after professionals on the continent.
As the year draws to a close, we learned that breaches are no longer the thing African institutions fear most. What they fear is being seen as unprepared, evasive, and ordinary in the face of a problem they once believed could be managed quietly.
