South Africa's Open Door: Government Websites, Cybercriminal Opportunity, and a Regulatory Framework Under Strain

South Africa's government is sitting on a digital time bomb. Hundreds of state-run websites carry known, unpatched security vulnerabilities — some going back more than a decade — leaving critical citizen data exposed to ransomware gangs, fraudsters, and state-sponsored hackers. And while the regulatory machinery exists on paper, experts warn that enforcement, policing capacity, and government accountability remain dangerously inadequate.

The Scope of the Problem

Cybersecurity researcher Joel Cedras, who was part of the team that uncovered large-scale fraud in South Africa's Social Relief of Distress (SRD) grant system in 2024, has now turned his attention to the broader government ICT estate — and what he found is alarming.

Of the approximately 1,100 public-facing systems hosted on the network of the State Information Technology Agency (SITA), which manages a large portion of government ICT infrastructure, roughly one in seven carries an unpatched, known security vulnerability. The situation is even more dire outside SITA's network: among 516 public-facing systems on non-SITA government infrastructure — a network nearly half the size — one in five is exploitable.

"Both on and off SITA's network, some government servers have been unpatched for over a decade," Cedras told MyBroadband. "The doors are open."

The specifics are sobering. The Deeds Office was found to carry over 450 vulnerabilities. The Eastern Cape Health Department is reportedly susceptible to ProxyLogon, an attack class that allows an intruder to impersonate an administrator and access an Exchange email server — a foothold that can lead to mass data exfiltration or so-called "double extortion" ransomware attacks. The Department of Sports, Arts and Culture had more than 100 vulnerabilities on a single server; the Limpopo Government had over 150; the Department of Home Affairs had more than 100 open vulnerabilities.

Six of the identified vulnerabilities appear on the Known Exploited Vulnerabilities (KEV) list — a catalogue maintained by cybersecurity authorities of flaws that are being actively weaponised by attackers in the wild.

"I would ask whether [an attack] has happened already," Cedras said.

The answer, in at least one case, is yes. Statistics South Africa was struck by a ransomware attack by a group calling itself XP95, which claimed to have stolen 154 GB of data from an unspecified Stats SA server and demanded R1.7 million in ransom. Stats SA refused to pay. The group has since disappeared, but the breach underscores the real-world consequences of the vulnerabilities Cedras describes: citizen identity documents, title deeds, criminal records, and biometric data held by government sit within reach of any competent attacker willing to exploit what amounts to an unlocked front door.

SITA has pushed back on the characterisation that its network is insecure. Tlali Tlali, head of corporate affairs at SITA, said security operations teams monitor the network around the clock and that ongoing modernisation initiatives aim to improve the security posture of critical systems. He added that many government departments host their own systems or use approved third-party providers while still using SITA for connectivity, complicating the picture of accountability.

"SITA remains committed to the continual improvement of the Government Private Network (GPN) security posture through the implementation of enhanced security controls," Tlali said.

South Africa's Cybersecurity Legal Framework: The Law on Paper

South Africa does not lack for cybersecurity legislation. The country has built a layered, if still maturing, legal architecture to address cyber threats.

The cornerstone of cybercrime law is the Cybercrimes Act 19 of 2020, which came into force in May 2021. The Act defines cybercrimes and details police powers to investigate, search, access, or seize electronic devices. Section 14 specifically recognises that cybercriminals not only attack networks through ransomware but may also use technology to perpetrate crimes such as extortion, fraud, and incitement. Those found guilty of a cybersecurity offence face hefty fines and prison sentences of up to 15 years. 

One of the main provisions of the Cybercrimes Act is the creation of a dedicated unit within SAPS known as the Cybercrimes Unit, which is responsible for investigating and prosecuting cybercrimes. The Act also provides for the establishment of a Cybercrimes Advisory Council made up of representatives from government agencies and the private sector. 

Data protection falls under the Protection of Personal Information Act (POPIA), which came into full force on 1 July 2021 and promotes the protection of personal data processed by both public and private bodies, with the power to levy penalties for non-compliance. The Information Regulator may deliver an infringement notice and administrative fine to any responsible party found to have committed an offence. 

The financial sector operates under an additional layer of protection. The Financial Sector Conduct Authority (FSCA) and the Prudential Authority published a Joint Standard on Cybersecurity and Cyber Resilience Requirements in May 2024, with a commencement date of 1 June 2025, requiring all financial institutions to meet minimum standards for identifying and guarding against cybersecurity risks.

At a strategic level, the National Cybersecurity Policy Framework (NCPF) covers the protection of critical information infrastructure, combating cybercrime, establishing cybersecurity standards, and outlines the roles of government bodies, the private sector, and civil society. It also established a Cybersecurity Response Committee led by the State Security Agency and a Cybersecurity Hub within the Department of Telecommunications. 

Taken together, this framework is broadly comparable to international standards. The problem is not the law — it is what happens next.

Enforcement and Policing: A Widening Gap

The gap between South Africa's cyber laws and their enforcement in practice is stark, and the figures make for uncomfortable reading.

In 2024, over 100,000 banking breaches caused R1.8 billion in losses — yet SAPS recorded only 544 cases. That is a detection and prosecution rate of well under 1%. 

The staffing picture explains part of the problem. As of October 2024, the Directorate for Priority Crime Investigation (DPCI) had only 64 members dedicated to cybercrime investigation support — with a shortage of 52 members against its fixed establishment. In cybercrime detective services more broadly, there are 86 members but a shortage of 152. In other words, SAPS cybercrime units are operating at less than half their intended strength. 

Cybercrime is significantly under-reported in South Africa, and neither SAPS nor the National Prosecuting Authority publishes comprehensive statistics on local cyber incidents. South Africa's cybercrime density — the percentage of cybercrime victims among internet users — increased by 8% between 2021 and 2022, placing the country fifth globally. 

Despite some committed officers who have championed the cybercrime issue and tried to secure more resources, SAPS knowledge, experience, and staffing are in short supply. Closing the capacity gap may well require support from international donors working through Interpol and the private sector. 

There has been some progress. Through a UK Government Digital Access Programme, over 2,300 police officers have received training in cybercrime awareness, open-source intelligence (OSINT), and digital forensics. And in one of the first cases of its kind, the Cybercrimes Act was successfully used to secure a conviction based on WhatsApp voice note evidence, signalling growing confidence among prosecutors to bring digital evidence cases to court. 

But convictions like that one address harmful communications, not the scale of state infrastructure vulnerabilities and ransomware attacks that Cedras describes. For attacks on government systems, accountability mechanisms remain weak and public reporting is almost non-existent.

Data breach reporting has increased sharply: some 1,607 breaches were reported to the Information Regulator between April and September 2025 — a 60% increase from 2024. On 1 April 2025, the IR launched a mandatory security compromise reporting tool to streamline this process. But reporting a breach and actually preventing or punishing the underlying attack are very different things.

The Accountability Vacuum

Perhaps the most troubling dimension of the situation is structural. No single body has clear, enforceable responsibility for the cybersecurity posture of all government departments. SITA manages the government's backbone network but cannot compel departments to patch their own systems. Individual departments host their own environments. The NCPF and Cybercrimes Act set frameworks, but accountability for non-compliance within the public sector is blurred.

The Democratic Alliance has tabled a Private Members Bill to establish a new Chapter 9 institution — an Office of the Cyber Commissioner — to address exactly this accountability gap. While the response from the private sector and academia was largely positive, reception from government and the public sector was less enthusiastic. 

For Cedras, the arithmetic is simple: known vulnerabilities, unpatched for years, on systems holding the most sensitive data South Africans have ever handed to their government. Identity documents. Title deeds. Health records. Criminal histories.

"There is a serious risk of leaking of sensitive data, which can facilitate fraud and other crimes against citizens," he said. "A ransomware attack could shut down multiple government services at once."

South Africa has the laws. It does not yet have the enforcement, the staffing, or the political will to close the doors that have been left wide open.