South African Airways (SAA) has confirmed that it experienced a significant cyber incident starting on Saturday, 3 May, which temporarily disrupted access to its website, mobile app, and several internal operational systems.
Upon detecting the breach, SAA immediately activated its disaster management and business continuity protocols. These swift measures contained the incident effectively, minimising disruption to core flight operations and ensuring that essential customer service channels, including contact centres and sales offices, remained operational. Normal system functionality was restored later the same day, SAA said in a statement.
SAA management launched a thorough investigation with independent digital forensic experts to determine the root cause and full scope of the incident, including the possibility of external cybercrime involvement. As a National Key Point, SAA has reported the incident to the State Security Agency (SSA), South African Police Service (SAPS), and notified the Information Regulator of South Africa under the Protection of Personal Information Act (POPIA).
The preliminary investigation is ongoing to assess whether any data was accessed or exfiltrated. SAA has committed to notifying any affected parties directly, in line with regulatory requirements, should a data breach be confirmed, the airline said.
“The security and integrity of our business systems and the protection of the consumer data entrusted to us remain our highest priority. In response to the cyber incident that began on May 3rd, we acted swiftly to contain the disruption, restore services, and initiate a comprehensive investigation. Our robust business continuity measures ensured operational stability, particularly for our valued customers. I want to assure all stakeholders, including our partners, customers, and dedicated employees, that we are taking every necessary step to determine the root cause of this incident, strengthen our security framework, and mitigate any potential risks. SAA remains committed to delivering safe, reliable, and resilient service,” said Prof John Lamola, Group CEO of SAA.
Over the past several years, South African government entities have faced a surge in cyberattacks, particularly ransomware, targeting critical infrastructure and disrupting key services. Notable incidents include the crippling of the Department of Justice and Constitutional Development’s IT systems in September 2021, a ransomware attack on Transnet in July 2021 that brought port operations to a near standstill, and repeated disruptions at the South African Post Office and South African National Space Agency.
More recently, the South African Weather Service was taken offline by a ransomware group in January 2025, impacting weather reporting for aviation and marine sectors. These attacks, often linked to sophisticated international cybercrime groups, have exposed vulnerabilities in government systems, sometimes exacerbated by insider involvement, and have led to significant operational disruptions, data breaches, and financial losses.
South Africa now averages thousands of cyberattacks per week against government agencies, making it one of the continent’s most targeted countries, with ransomware and information disclosure among the most prevalent threats.
