South Africa’s Credit Regulator Hit by Cyberattack as Hackers Claim Major Data Leak
South Africa’s National Credit Regulator (NCR) has been hit by a cyberattack, with a ransomware group claiming it has stolen and published more than 42 gigabytes of sensitive data on the dark web.
The ransomware-as-a-service group DragonForce says the leaked files include internal records belonging to the NCR — the statutory body responsible for regulating credit providers, bureaus, and debt counsellors, and for protecting consumers within South Africa’s lending system.
If verified, the breach could represent one of the most serious data security incidents involving a South African financial regulator in recent years.
Why the NCR Data Breach Matters
As the central oversight authority for the country’s credit industry, the NCR holds large volumes of highly sensitive information.
This includes:
- Registration records of credit providers and bureaus
- Compliance audits and enforcement files
- Investigation reports and internal correspondence
- Consumer complaints and dispute records
- Potentially identifiable personal and financial data linked to lenders and borrowers
Exposure of such information creates risks of identity theft, targeted phishing campaigns, financial fraud, and extortion. It may also undermine public trust in the regulator tasked with enforcing responsible lending standards.
What We Know About the Attack So Far
The NCR first confirmed it had suffered a cyberattack in December 2025, after disruptions were detected across some of its systems. At the time, the regulator did not disclose whether data had been exfiltrated, leaving the full impact unclear.
Months later, DragonForce emerged on dark-web forums and leak sites, claiming responsibility for the attack and publishing what it alleges are internal NCR files totaling more than 42GB.
The regulator has yet to publicly verify the authenticity or scope of the leaked data.
Who Is DragonForce?
DragonForce operates as a ransomware-as-a-service (RaaS) group, providing affiliates with attack infrastructure, automation tools, and leak-site hosting in exchange for a share of ransom payments.
In 2025, the group rebranded itself as a ransomware “cartel,” expanding its operations to include:
- Data analysis services
- Public leak platforms designed to pressure victims
- Higher revenue shares, reportedly offering affiliates up to 80 percent of ransom proceeds
DragonForce has previously been linked to high-profile cyberattacks against major retailers and organizations in the United Kingdom, underscoring its growing operational reach.
A Broader Pattern of Cyber Risk in South Africa
The NCR breach fits into a wider trend of escalating cyber incidents across South Africa’s public and private sectors.
Over the past year, government agencies, state-linked institutions, and regulated industries have faced repeated attacks, exposing gaps in cyber resilience, incident disclosure practices, and response readiness.
For regulators, the stakes are particularly high. As watchdogs responsible for enforcing compliance and data protection standards, breaches raise difficult questions about whether oversight bodies are adequately prepared to defend the sensitive information they collect.
What Comes Next
Key questions remain unanswered, including:
- Whether the leaked data includes personal or financial information
- How far attackers penetrated NCR systems
- What remediation steps have been taken since the December 2025 incident
- Whether affected parties will be formally notified
As cyber threats increasingly target regulators and critical institutions, the NCR incident highlights the growing need for stronger cybersecurity investment, transparent disclosure, and coordinated national response frameworks
