Land Bank declines to confirm R50m ransom claim as cyber investigation continues
The Land and Agricultural Development Bank of South Africa (Land Bank) has declined to confirm or deny reports that cybercriminals demanded a R50 million ransom following a cybersecurity breach last month, saying it will not comment on alleged ransom demands while investigations are ongoing.
This comes after the Land Bank reported a “temporary disruption affecting certain internal IT systems” that occured on 12 January, after which it took offline the affected systems as a precautionary measure to protect its operations and information.
However, a source close to the situation has claimed that the bank’s IT systems were hacked and that the perpetrators allegedly demanded a R50m ransom. It remains unclear whether any ransom was paid.
In an emailed response to BR on Friday, the bank confirmed it experienced a cybersecurity incident caused by an unauthorised third party that deployed ransomware, which encrypted part of our server environment. However, it refused to engage on specific details relating to any possible ransom.
“As a matter of security and investigative protocol, the Bank does not comment on specific aspects of threat actor engagement, including any alleged ransom demands, while the forensic process is ongoing,” the bank said.
While questions remain about whether a ransom was demanded — and if so, how much — the bank has made clear that it will not discuss such matters publicly while investigations are ongoing.
“Our focus remains on system recovery, protecting stakeholders, and supporting law enforcement efforts,” it said.
Sources also indicated that employee laptops were confiscated and new devices issued following the breach. The bank confirmed that employee devices were temporarily collected for comprehensive security scanning and cleansing as part of containment and remediation measures.
“This is a standard precautionary step in cyber incident response aimed at ensuring all endpoints are secure before being returned to service. These actions reflect our commitment to maintaining a resilient and secure technology environment,” it said.
Belgium Campus iTversity researcher, Jacqui Muller, said when an organisation experiences a cyber security breach, the response must be immediate, structured and aligned with both technical best practice as well as regulatory requirements.
“The first priority is containment, and which involves isolating affected systems, revoking compromised access, resetting credentials and preventing further spread within the network. Actions such as confiscating or replacing employee laptops are often part of forensic preservation and containment protocols, rather than an indication of the breach’s scale,” she said.
