Grounded by Code: SAA Cyberattack Exposes Legal Tangles in South Africa’s Cyber Defence

May 25, 2025 markgrunebaum 0 Comments

On 3 May 2025, South African Airways (SAA) fell victim to a serious cyberattack that crippled its website, mobile app, and several internal systems. For a national carrier, this could have spelled chaos. But SAA’s disaster recovery and business continuity plans kicked in fast—critical operations continued through call centers and sales offices, and systems were restored within hours.

What followed, however, was just as important as the recovery: SAA launched an urgent forensic investigation and notified the State Security Agency (SSA), SAPS, and the Information Regulator, as required by the Protection of Personal Information Act (POPIA). Whether personal data was accessed or exfiltrated remains under review.

This breach was more than a technical event—it was a real-world stress test of South Africa’s labyrinthine cyber legal framework. Unlike other countries, South Africa lacks a single Cybersecurity Act. Instead, the nation relies on a patchwork of overlapping laws:

  • The Cybercrimes Act criminalises data breaches and empowers investigators, with certain chapters in force since 2021.
  • ECTA governs digital communications and data integrity.
  • POPIA demands that organisations implement safeguards and report suspected breaches swiftly.
  • RICA mandates metadata retention and communication oversight.
  • CIPA and the National Cybersecurity Policy Framework apply stricter standards to critical infrastructure like SAA.

Sector-specific rules add another layer—telecoms, banks, and national key points each follow their own regulatory trails. SAA, being a declared National Key Point, had to navigate all of them—fast.

To its credit, SAA acted decisively, commissioning independent digital forensics experts to trace the breach’s origin, complying with legal requirements under multiple Acts, and preparing to notify affected individuals should the investigation confirm a data leak. This compliance reflects a high level of maturity in responding to cyber threats under complex regulation.

But the bigger issue remains: South Africa is still without a unified Cybersecurity Act. A dedicated bill has been stalled for years. In the meantime, businesses and critical infrastructure operators are left to interpret and comply with a maze of statutes and policy instruments—often in the middle of a crisis.

The SAA incident is a wake-up call. As cyberattacks grow in frequency and sophistication, so must our laws. A clearer, more cohesive legal regime is no longer a luxury—it’s a necessity.

Written by Kerri Stewart, Attorney: Technology Law, SchoemanLaw Inc

Categories:

Leave a Reply

Your email address will not be published. Required fields are marked *