News / National
Standard Bank data stolen and leaked online
3 hrs ago |
231 Views
A threat actor has revealed that 1.2TB of confidential data stolen from Standard Bank, which includes client credit card information, will now be leaked online in parts.
The bank, the largest in South Africa by assets, was breached in late February, with the hacker known as "ROOTBOY" claiming that they spent "just over three weeks" in the bank's system undetected.
On 23 March 2026, both Standard Bank and its subsidiary, Liberty, a life insurer and investment provider, reported that they had suffered data breaches at the hands of unknown actors.
Standard Bank stated that a limited set of client credit card details, including card numbers and expiry dates, appeared to have been leaked online.
"We are communicating directly with those clients and proactively replacing their cards as a precaution. CVV numbers are not impacted," it assured.
The bank previously revealed that client names, ID numbers, company registration numbers, phone numbers, email addresses, and account numbers were affected by the breach.
On 23 March 2026, Standard Bank said that its systems were subject to "unauthorised access" and that external experts were now investigating both incidents.
The bank subsequently confirmed to MyBroadband that the two incidents are related but involve separate legal entities, and the data involved is different.
According to the threat actor's post on the dark web hacker forum Dark Forums, they had spent weeks moving through the bank's internal systems, exfiltrating data.
This includes data from Microsoft SharePoint, OneDrive, and Power Apps, as well as from Appdynamics, Jira, Confluence, Citrix, Remedy, and Standard Bank's Microsoft and Oracle SQL databases.
In an update published this week, the bank revealed that its internal administrative and document filing systems were affected by the breach.
We asked bank representatives whether Standard Bank had paid a ransom to prevent sensitive client data from being leaked, but they refused to confirm or deny any payments.
However, according to the threat actor's dark web leak site, no payments have been received, and they will continue leaking customer data until they receive 1 bitcoin.
According to the attacker, they stole data comprising 154 million rows of SQL, which they said would be released in batches.
"Beginning on February 27th 2026, the 3-week-long attack on both Standard Bank and Liberty has resulted in 1.2TB of data being exfiltrated from internal servers," threat actor ROOTBOY claimed.
"A peaceful resolution was sought out with Standard Bank, however after 2 weeks of back and forth they made the decision to abandon their customers," they said.
They are extorting the bank for R1.2 million in bitcoin to stop leaking sensitive client information, which also includes passport numbers, driver's licence numbers, and home addresses.
Additionally, they are threatening to leak detailed employee data, and bulk customer and corporate transactional data.
"Our transactional banking and core operating systems were not accessed, remain secure, and are available to all our clients and employees," Standard Bank had said in March.
"During this period, we continue to work tirelessly to engage with our clients who have been impacted. This will continue while we make meaningful progress in our investigations into the incident."
The bank said it has reported the incident to the relevant regulatory and law enforcement authorities. "We continue to cooperate with their processes," it said.
Both Standard Bank and Liberty shared similar initial statements about roping in external experts, operating within robust regulatory frameworks, and fully complying with all applicable obligations.
Liberty initially sent SMS notifications to affected customers, informing them that their personal information stored on the provider's systems had been compromised.
"Your policies and investments remain secure, and our services are running normally," the notification to customers stated.
Liberty's CEO, Yuresh Maharaj, said that its core systems remained unaffected, fully operational, and available to all clients, advisors, and employees.
"Our team, supported by experts, has launched a full investigation into this incident. We operate within a robust regulatory framework and fully comply with all applicable obligations," he said.
Standard Bank urged clients to update their banking app passwords, use biometric protection where possible, and avoid clicking on suspicious links or unfamiliar website URLs following the leak.
The bank, the largest in South Africa by assets, was breached in late February, with the hacker known as "ROOTBOY" claiming that they spent "just over three weeks" in the bank's system undetected.
On 23 March 2026, both Standard Bank and its subsidiary, Liberty, a life insurer and investment provider, reported that they had suffered data breaches at the hands of unknown actors.
Standard Bank stated that a limited set of client credit card details, including card numbers and expiry dates, appeared to have been leaked online.
"We are communicating directly with those clients and proactively replacing their cards as a precaution. CVV numbers are not impacted," it assured.
The bank previously revealed that client names, ID numbers, company registration numbers, phone numbers, email addresses, and account numbers were affected by the breach.
On 23 March 2026, Standard Bank said that its systems were subject to "unauthorised access" and that external experts were now investigating both incidents.
The bank subsequently confirmed to MyBroadband that the two incidents are related but involve separate legal entities, and the data involved is different.
According to the threat actor's post on the dark web hacker forum Dark Forums, they had spent weeks moving through the bank's internal systems, exfiltrating data.
This includes data from Microsoft SharePoint, OneDrive, and Power Apps, as well as from Appdynamics, Jira, Confluence, Citrix, Remedy, and Standard Bank's Microsoft and Oracle SQL databases.
In an update published this week, the bank revealed that its internal administrative and document filing systems were affected by the breach.
We asked bank representatives whether Standard Bank had paid a ransom to prevent sensitive client data from being leaked, but they refused to confirm or deny any payments.
However, according to the threat actor's dark web leak site, no payments have been received, and they will continue leaking customer data until they receive 1 bitcoin.
"Beginning on February 27th 2026, the 3-week-long attack on both Standard Bank and Liberty has resulted in 1.2TB of data being exfiltrated from internal servers," threat actor ROOTBOY claimed.
"A peaceful resolution was sought out with Standard Bank, however after 2 weeks of back and forth they made the decision to abandon their customers," they said.
They are extorting the bank for R1.2 million in bitcoin to stop leaking sensitive client information, which also includes passport numbers, driver's licence numbers, and home addresses.
Additionally, they are threatening to leak detailed employee data, and bulk customer and corporate transactional data.
"Our transactional banking and core operating systems were not accessed, remain secure, and are available to all our clients and employees," Standard Bank had said in March.
"During this period, we continue to work tirelessly to engage with our clients who have been impacted. This will continue while we make meaningful progress in our investigations into the incident."
The bank said it has reported the incident to the relevant regulatory and law enforcement authorities. "We continue to cooperate with their processes," it said.
Both Standard Bank and Liberty shared similar initial statements about roping in external experts, operating within robust regulatory frameworks, and fully complying with all applicable obligations.
Liberty initially sent SMS notifications to affected customers, informing them that their personal information stored on the provider's systems had been compromised.
"Your policies and investments remain secure, and our services are running normally," the notification to customers stated.
Liberty's CEO, Yuresh Maharaj, said that its core systems remained unaffected, fully operational, and available to all clients, advisors, and employees.
"Our team, supported by experts, has launched a full investigation into this incident. We operate within a robust regulatory framework and fully comply with all applicable obligations," he said.
Standard Bank urged clients to update their banking app passwords, use biometric protection where possible, and avoid clicking on suspicious links or unfamiliar website URLs following the leak.
Source - mybroadbank
Join the discussion
Loading comments…
