Cybersecurity: how the Cell C and SABS attacks could have been prevented

Cybercrime has become the single biggest threat to businesses worldwide.

According to the Allianz Risk Barometer 2025, cyber incidents — including ransomware attacks, data breaches and IT outages — are now the top global business risk, marking their fourth year at the top.

A decade ago, only 12% of global respondents cited cyber as a major concern. In 2025, that number surged to 38%.

Allianz noted, “Cyber is the top risk across North and South America, Europe, and Africa,” dominating industry concerns from aviation to legal services. More importantly, it now ranks as the number one risk in South Africa, overtaking long-standing issues like load shedding and political instability.

This concern is not just theoretical.

Two recent, high-profile cyberattacks—one on mobile telecommunications provider Cell C and another on the South African Bureau of Standards (SABS)—have rocked South Africa.

Both incidents have raised serious questions about compliance, cybersecurity readiness, and whether these attacks could have been prevented.

Cell C confirmed in a December 2024 media release that it had suffered a major ransomware attack.

Sensitive unstructured customer data — including ID numbers, bank details, driver’s licenses, medical records and passport information — was compromised and later leaked on the dark web.

While a follow-up communication was sent to customers in early January 2025, the eight-day delay between public disclosure and customer notification drew criticism.

The SABS breach followed a similar pattern — ransomware paralysed the organisation’s systems in November 2024, with clients being informed on 26 November. Shockingly, it was later revealed in Parliament that, by February 2025, core systems remained encrypted and inaccessible. This marked the third cyberattack on the SABS in just five years.

Herman Stroop, Lead ISO Specialist at WWISE (World Wide Industrial & Systems Engineers), said that both attacks were entirely preventable.

“Neither Cell C nor SABS were ISO/IEC 27001 certified — a globally recognised standard for information security management,” Stroop said.

“This standard isn't just a technical checklist. It's a framework that forces an organisation to understand its vulnerabilities, assess its risks, and apply controls that address these risks in a structured, auditable way,” Stroop added. 

The ISO/IEC 27001 standard focuses on Confidentiality, Integrity, and Availability (CIA)—the foundation of modern information security.

It requires organisations to conduct ongoing risk assessments, implement policies and technical controls, and continuously monitor and update these defences in response to emerging threats.

According to Stroop, the absence of such a system is often due to a lack of strategic commitment from leadership.

“Cybersecurity is wrongly seen as an IT issue,” he says. “Top management often fails to view it as a core business risk, resulting in underinvestment in preventative frameworks like ISO/IEC 27001. One key challenge in South Africa is poor enforcement of existing regulations. While the Protection of Personal Information Act (POPIA) and Minimum Information Security Standards (MISS) lay out clear expectations for information governance, many organisations either ignore or delay compliance due to a perceived lack of consequences," Stroop said.

“The irony is that prevention is far cheaper than remediation,” Stroop noted.

“In many cases, organisations suffer reputational damage, legal liability, and operational downtime that far exceed the cost of implementing an ISO-compliant Information Security Management System.”

Cell C and SABS also provide examples of poor transparency. Details about the nature of the attacks and how they were handled remain vague.

“When an organisation isn’t ISO-certified, it usually doesn’t have the documentation, procedures or incident response plans to respond properly — let alone communicate clearly — during a breach,” Stroop added.

According to the Information Regulator, South Africa sees between 150 and 300 cyberattacks reported each month—and that’s just the reported incidents. Many go unreported due to reputational fears or because organisations are not compliant with POPIA and fear investigation.

Stroop believes that ISO 27001 should be mandated for public institutions and critical infrastructure operators.

“Without minimum compliance levels, we're just waiting for the next disaster,” he says. “It’s not a matter of if, but when.”

And there is movement. Some insurance providers are beginning to offer premium reductions for ISO-certified organisations, while major corporate clients now demand ISO 27001 certification from vendors.

“It’s becoming a market differentiator,” Stroop concludes. “Organisations serious about protecting their data and reputation cannot afford to ignore ISO 27001 any longer.”

In a digital age where the threat landscape evolves daily, being unprepared is no longer an option.

BUSINESS REPORT