Standard Bank South Africa Confirms Data Breach

Standard Bank, South Africa’s largest lender by assets, has confirmed that client personal information was subject to unauthorised access on 23 March 2026. The bank says its core banking systems remain secure and fully operational.

The incident affects select customer data, including names, surnames, ID numbers, and company registration numbers. However, the bank noted that the specific information involved may differ from person to person.

Standard Bank announced the breach in a press release, “A message from Standard Bank” and has begun notifying impacted customers directly. External experts are now assisting with a full investigation.

“The Standard Bank of South Africa has identified an incident involving unauthorised access to select data, and we immediately took steps to secure our environment and mitigate the impact,” the bank said in March.

“Our teams, supported by experts, have launched a full investigation into this incident. We operate within a robust regulatory framework and fully comply with all applicable obligations.”

The bank warned clients that the exposed information creates a heightened risk of targeted fraud. Attackers could use the stolen data to impersonate victims or contact them fraudulently via email, calls, or SMS.
This technique is known as spear-phishing. Unlike generic phishing attempts, spear-phishing uses specific personal information such as a person’s name, ID number, and employer to craft convincing lures. An attacker could, for example, direct a victim to a fraudulent website designed to capture banking credentials.

Standard Bank has reported the incident to the Information Regulator of South Africa, the country’s primary authority for data breaches and leaks. The bank said it continues to strengthen controls and enhance monitoring in line with industry best practices.

The bank urged clients to follow several precautions including:

• Updating passwords on banking apps and social media
• Enabling two-factor authentication on the mobile banking app
• Using strong, unique passwords with biometric authentication
• Verify any unexpected email, SMS
• Never share your personal information, including passwords and PINs, when asked to do so via phone, text, or email
• Register with the Southern African Fraud Prevention Service for protective registration, which is a free service
• Verify any unexpected email, SMS or call asking for sensitive information by contacting the bank
• Suspicious links or unfamiliar website URLs should never be clicked.

“Given the nature of the information accessed, there is a risk that someone could use it to try to impersonate you or contact you fraudulently,” the bank said.
“We have increased our monitoring and encourage our clients to remain vigilant.”

The Standard Bank breach also occurred on the same day that Liberty disclosed its own security incident involving unauthorised access to internal systems. Liberty is a major subsidiary of the Standard Bank Group and is integrated into the bank’s broader financial services across 16 African markets. Liberty confirmed that policies and investments remain secure and services are running normally. Standard Bank has not publicly linked the two incidents.