Standard Bank and Liberty Hit by Major Data Breach, Exposing Millions of Customer Records
Standard Bank and Liberty, two major South African financial institutions, have suffered a significant data breach after a three-week cyberattack by the ransomware group Rootboy. The incident, which began on 27 February 2026, resulted in the exfiltration of 1.2TB of sensitive data, including personal and financial information of customers and employees.
Scope of the Breach
The stolen data includes:
- Customer PII: Full names, addresses, emails, phone numbers, South African ID numbers, driver’s license numbers, passport numbers, credit card numbers (excluding CVV codes), and account numbers.
- Employee data: Details from internal systems, including SAP records.
- Transactional data: Bulk customer and corporate records.
Rootboy claims to have extracted 154 million rows of SQL data and has begun releasing samples 5,000, 25,000, 50,000, and 100,000 records in escalating dumps to pressure the banks into paying a 1 BTC ransom. The group alleges that Standard Bank initially engaged in negotiations but ultimately refused to comply.
Bank Responses
Standard Bank confirmed the breach on 23 March 2026, stating that only internal administrative systems were affected, while transactional and core banking systems remained secure. The bank has:
- Proactively replaced cards for affected customers.
- Enhanced monitoring for fraud and credit bureau activity.
- Reported the incident to regulatory and law enforcement authorities.
- Notified impacted clients directly, though some customers report learning of the breach through media rather than the bank.
Liberty, also targeted in the attack, issued a similar statement on 23 March, acknowledging unauthorized access but assuring clients that investments and policies remain secure. However, the company has not publicly disclosed further details, and its website makes no mention of the breach.
Timeline of Events
- 27 February 2026: Rootboy initiates the attack.
- 23 March 2026: Standard Bank and Liberty confirm the breach.
- 2 April 2026: Standard Bank provides an update, reiterating that banking systems were unaffected.
- Ongoing (April 2026): Rootboy releases stolen data in batches, with the full dataset comprising 154 million records.
Impact and Unanswered Questions
While Standard Bank has taken steps to mitigate risks, key details remain unclear:
- The exact method of intrusion has not been disclosed.
- The full extent of Liberty’s exposure is unknown.
- The bank has not confirmed whether it engaged with the ransom demand or its protocol for such incidents.
Standard Bank has urged patience as investigations continue, though reports suggest the bank may have been unaware of the full scope of the breach until data was publicly leaked. The incident highlights vulnerabilities in financial sector cybersecurity, with regulators and law enforcement now involved in the response.
Liberty Group South Africa cybersecurity rating report: https://www.rankiteo.com/company/liberty-group
Standard Bank South Africa cybersecurity rating report: https://www.rankiteo.com/company/standard-bank-south-africa
"id": "LIBSTA1776458526",
"linkid": "liberty-group, standard-bank-south-africa",
"type": "Ransomware",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Millions',
'industry': 'Banking',
'location': 'South Africa',
'name': 'Standard Bank',
'size': 'Large',
'type': 'Financial Institution'},
{'customers_affected': 'Unknown',
'industry': 'Insurance/Investments',
'location': 'South Africa',
'name': 'Liberty',
'size': 'Large',
'type': 'Financial Institution'}],
'customer_advisories': 'Direct notifications to impacted clients, public '
'statements',
'data_breach': {'data_exfiltration': 'Yes (1.2TB)',
'number_of_records_exposed': '154 million rows of SQL data',
'personally_identifiable_information': ['Full names',
'Addresses',
'Emails',
'Phone numbers',
'South African ID '
'numbers',
'Driver’s license '
'numbers',
'Passport numbers',
'Credit card numbers '
'(excluding CVV)',
'Account numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Financial Information',
'Employee Data',
'Transactional Data']},
'date_detected': '2026-02-27',
'date_publicly_disclosed': '2026-03-23',
'description': 'Standard Bank and Liberty, two major South African financial '
'institutions, suffered a significant data breach after a '
'three-week cyberattack by the ransomware group Rootboy. The '
'incident resulted in the exfiltration of 1.2TB of sensitive '
'data, including personal and financial information of '
'customers and employees.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': '1.2TB of sensitive data, 154 million rows of '
'SQL data',
'identity_theft_risk': 'High',
'operational_impact': 'Enhanced monitoring, card replacements, '
'regulatory reporting',
'payment_information_risk': 'High',
'systems_affected': 'Internal administrative systems (Standard '
'Bank), Unknown systems (Liberty)'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain, Data exfiltration',
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': '1 BTC',
'ransom_paid': 'No',
'ransomware_strain': 'Rootboy'},
'references': [{'source': 'Media Reports'}],
'regulatory_compliance': {'regulatory_notifications': 'Yes'},
'response': {'communication_strategy': 'Direct notifications to impacted '
'clients, public statements',
'containment_measures': 'Enhanced monitoring, card replacements',
'enhanced_monitoring': 'Yes',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'remediation_measures': 'Proactive card replacements, fraud '
'monitoring'},
'stakeholder_advisories': 'Regulatory and law enforcement authorities '
'notified',
'threat_actor': 'Rootboy',
'title': 'Standard Bank and Liberty Hit by Major Data Breach, Exposing '
'Millions of Customer Records',
'type': 'Data Breach, Ransomware'}