South Africa’s Government Cybersecurity Crisis: Breaches, Ransomware, and Billions Wasted
South Africa’s public sector is facing a serious cybersecurity emergency, with nearly two-thirds of government entities evaluated by the Auditor-General found to have significant weaknesses in their digital defences. Penetration testing carried out during the 2024/2025 financial year confirmed that multiple government environments were successfully breached, raising urgent concerns about the protection of critical public systems and data.
The findings are drawn from the Auditor-General South Africa’s (AGSA) consolidated general report on national and provincial audit outcomes for 2024/2025. The report delivers a harsh verdict on the state of information security across South Africa’s public sector, and it makes for uncomfortable reading for government leadership.
The AG’s office assessed the cybersecurity controls of 70 national and provincial government entities, looking at governance frameworks, risk management practices, compliance levels, operational controls, and incident response capabilities. Technical assessments, including penetration testing and vulnerability scanning, were also conducted to get a true picture of each entity’s digital resilience.
Of those 70 entities, 45 — representing 64% — were found to have notable weaknesses in their cybersecurity posture. Included among these were 23 high-impact entities. Eight entities, four of which were classified as high impact, displayed significant vulnerabilities that posed a real exploitation risk if not urgently addressed.
The most frequently identified failures included a lack of backup testing, missing vulnerability management tools, weak access controls, unpatched systems, and inadequate logging and monitoring of administrator activities. Many entities also lacked mature incident response capabilities and formal recovery procedures.
South African Government Cybersecurity Failures Exposed in Damning Audit Report
The report specifically highlights the South African Bureau of Standards (SABS) as a textbook case of what happens when repeated warnings are ignored. In November 2024, the SABS was struck by a devastating ransomware attack that fully encrypted its information systems, forcing a complete shutdown of all business applications. The consequences were severe enough that the entity could not even submit its 2024/2025 financial statements.
What makes the SABS situation particularly troubling is that the AG had been issuing recommendations to the bureau since the 2021/2022 financial year. Those warnings covered outdated systems, weak password policies, poor access controls, and an untested disaster recovery plan — all of which ultimately contributed to the scale of the damage. The bureau failed to act.
“The cyberattack revealed the absence of a structured response mechanism, an untested disaster recovery plan and a delayed recovery process,” the report stated bluntly. Shockingly, SABS was still in the process of recovering its systems and data at the time the report was compiled — a full 15 months after the attack had taken place.
The SABS was not alone in suffering a breach. The National Health Laboratory Service was hit by a cyberattack in June 2024, causing significant disruption to its systems. Separately, the KwaZulu-Natal Nature Conservation Board experienced a cybersecurity incident in February 2025 that locked it out of its financial system and similarly prevented it from submitting financial statements on time.
The cybersecurity crisis sits within a broader decline in IT control environments across the 191 entities the AG audited during the same period. More entities regressed in this area than actually improved, painting a worrying overall picture of digital governance in South Africa’s public sector.
Security management emerged as the weakest control area across the board. Only 69 entities — just 36% — were rated as having good controls. Meanwhile, 103 entities (54%) were rated as concerning, and 19 entities (10%) were rated as outright poor. These figures reflect a systemic failure, not isolated incidents.
Adding further weight to the crisis, the report flagged R5.5-billion in government IT infrastructure spending during 2024/2025 that “has failed to support modernisation and resilience as many auditees still operate with ageing infrastructure.” This comes on top of R12.1-billion in government IT project wastage already reported separately, revealing a troubling pattern of mismanagement and misaligned investment in public sector technology.
The cumulative picture painted by the Auditor-General’s 2024/2025 report is one of a government IT environment that is dangerously exposed, chronically under-resourced in the right areas, and too slow to act on known risks. With ransomware attacks proving capable of crippling entire institutions for over a year, the cost of continued inaction — financial, operational, and reputational — is becoming impossible to ignore. Urgent, coordinated intervention from both political leadership and technical management is no longer optional; it is a national security imperative.