How 2025 Became the Year African Cyber Breaches Went Public

In 2025, the era of the “quiet compromise” effectively came to an end across Africa. For years, African corporations treated cybersecurity failures as skeletons to be locked in the IT closet; however, last year, those skeletons began breaking down the doors. The luxury of silence evaporated as sophisticated attacks and aggressive new regulations made it impossible for institutions to hide their scars.

Tech Cabal reports that across the continent, governments pivoted from passive observation to active enforcement. Algeria led the charge, stripping companies of their discretion by mandating a strict five-day window to report breaches or face crippling financial penalties. Similarly, Kenya and South Africa fundamentally redefined data breaches, moving them from the realm of “private IT headaches” to high-stakes public disclosures.

In Kenya, the “wait and see” approach became a legal liability. New mandates require operators to alert data controllers within 48 hours of a suspected hit. Preliminary reports must be submitted to the Office of the Data Protection Commissioner (ODPC) within 72 hours, even if the full scope of the damage remains unknown. For Kenyan firms, stalling is no longer a strategy; it is a regulatory offence that can lead to the total revocation of data processing rights.

South Africa mirrored this intensity by digitising the confession process. The Information Regulator’s new online portal, launched in April 2025, requires companies to provide a granular audit of every breach: what was stolen, how it happened, and how they plan to protect victims. This transparency move saw reported breaches surge to 2,374 for the 2024/25 period, a number that reflects not necessarily more attacks, but a drastic reduction in corporate evasion.

Zambia took a different path, reclassifying cybersecurity as a matter of national survival rather than back-office maintenance. By splitting its legal framework into the Cyber Security Act and the Cyber Crimes Act, Zambia placed sectors like energy, banking, and transport under a “critical infrastructure” microscope. Failure to comply with these new audits can result in $48,000 fines or, for more egregious negligence, up to a decade in prison.

If 2024 was defined by the breach of South Africa’s National Health Laboratory Service, 2025’s “trophy” hit was Kenya’s M-TIBA in October. Hackers shifted their tactics from simple encryption to “public shaming,” leaking sensitive medical data via Telegram channels to extort ransoms.

Telecom giants, once considered the fortresses of the digital age, proved surprisingly vulnerable; Telecom Namibia was riddled in December 2024, with the fallout leaking the billing data of senior government officials well into 2025, Cell C suffered a RansomHouse attack where customer data was weaponised on the dark web for fraud, and MTN Group disclosed massive breaches affecting subscribers in both South Africa and Ghana, turning the mobile operator into a case study for criminal investigations.

The most chilling example of infrastructure vulnerability occurred at Eskom, South Africa’s power utility. A forensic investigation revealed that criminals, aided by internal colluders, manipulated the Online Vending System to generate fraudulent electricity tokens, syphoning off up to $66 million. It was a stark reminder that the most dangerous threats often have an “insider” key.

While ransomware made headlines, state-sponsored “silent” actors like Salt Typhoon (linked to China) focused on observation rather than disruption. Their target? They targeted the metadata associated with daily life. In South Africa, rumours of the RedNovember group infiltrating the State Security Agency sparked a public spectacle, even as officials denied the intrusion.

Simultaneously, the human element of security was undermined by AI-driven social engineering. The “deepfake” era arrived in full force, with finance managers receiving video calls from “CEOs” who looked and sounded perfect. In West Africa, the infamous Black Axe syndicate evolved into a transnational machine, blending traditional Business Email Compromise (BEC) with AI-generated “sextortion” schemes.

ALSO READ:

• ECOWAS Pioneers Reform to Cut Air Taxes and Charges by 25% from January 2026
• How US Travel Restrictions Are Redrawing Africa’s Outbound Journeys
• US Demands 5 Years of Social Media from Tourists: Privacy Invasion or Security Must?

Between 2019 and 2025, Africa lost over $3 billion to cybercrime. According to INTERPOL, a staggering 90% of African businesses still operate without adequate protocols. While the world spends heavily on proactive threat hunting, most African firms remain trapped in a reactive cycle, paying only a fraction of what their global counterparts do on preventative security.

As 2026 begins, the fear has shifted. African institutions no longer just fear the hacker; they fear the transparency that reveals how unprepared they truly were.

Nigeria remains the epicentre of both digital innovation and cyber-risk in Africa. The spate of cybercrime has evolved from the stereotypical “Yahoo-Yahoo” emails to high-level insider abuse and fintech exploitation.

The Access Bank incident, where staff allegedly diverted ₦826 million through fake accounts, highlights a critical Nigerian trend: the “inside job.” As Nigerian banks and fintechs scale at light speed, their internal controls are struggling to keep pace with the lure of quick wealth among employees. 

Furthermore, the Nigerian Data Protection Commission (NDPC) has begun “barking and biting,” as evidenced by the ₦766 million fine imposed on MultiChoice. Nigeria is no longer a lawless digital frontier; it is becoming a regulated battlefield where data privacy is a billion-naira liability. 

As cybersecurity remains the “invisible infrastructure” of modern tourism, its impact is multifold. International tourists, particularly from the EU and the US, are susceptible to data privacy concerns. A high-profile breach of a national airline (such as the South African Weather Service incident) or a hotel booking engine can create a “perception of insecurity” that can deter high-spending visitors.

Countries like Mauritius, Kenya, and Nigeria are vying for “digital nomads. If these professionals feel their financial data and identity are at risk due to weak national cyber-frameworks, they will choose more “digitally stable” destinations in Southeast Asia or Eastern Europe. Plus, cyberattacks on critical infrastructure, ports, airports, and power grids lead to grounded flights and logistical nightmares, directly bleeding revenue from the hospitality sector.

Stay ahead of the hackers. Cyber threats move fast, but our insights move faster.  Keep tabs on Rex Clarke Adventures for more on travel, the business of tourism, and the next wave of digital disruption.

 

FAQs 

1. Why did cyber breaches become “harder to hide” in 2025?

New regulations in countries like Kenya, South Africa, and Algeria mandated strict reporting windows (often 48–72 hours). Additionally, hackers began using “exposure strategies”—leaking data on public platforms such as Telegram to coerce companies to admit the breach.

2. What is the greatest threat to Nigerian banks today?

While external hacking remains a threat, “insider” abuse—where employees collude to divert funds—has become the most damaging and hardest-to-detect compromise in the Nigerian financial sector.

3. How does the “Cyber Security Act” in Zambia differ from others?

Zambia treats cybersecurity as “critical infrastructure. This means sectors like energy and transport are legally obligated to host data locally and undergo mandatory national audits, with prison time as a penalty for failure.

4. Can AI really mimic my boss in a video call?

Yes. In 2025, AI-driven social engineering matured, allowing criminals to create “deepfake” videos and audio that can bypass traditional visual checks, making it easy to trick finance managers into authorising fraudulent transfers.

5. What is the financial impact of cybercrime in Africa?

INTERPOL says that Africa lost more than $3 billion from 2019 to 2025. Beyond direct theft, significant additions to the tally stem from the loss of investor confidence and the costs of regulatory fines (such as the ₦766m fine imposed on MultiChoice).