Security25.05.2026

SARS denies it was breached by Nigerian hacker group

The South African Revenue Service (SARS) said claims by a hacktivist group that its systems have been breached were false and unsubstantiated.

Over the weekend, a group calling itself Nullsec Nigeria said it breached SARS and the South African Information Technology Agency (SITA).

SITA denied that it had been breached on Sunday. SARS issued a statement on Monday denying that any foreign threat actors compromised its systems.

“SARS continuously monitors its systems for any suspicious activity and has conducted a thorough investigation in response to these reports,” it said.

“At this stage, there is no evidence that SARS’s systems have been compromised. SARS wishes to reassure the public regarding the integrity of its systems.”

The revenue service said it treated the protection of taxpayer information and the security of its digital platforms as sacrosanct and considers them core responsibilities.

“This dovetails with SARS’s broader commitment to build a smart, modern institution with unquestionable integrity, and to strengthen public trust and confidence in the tax administration system,” it said.

“SARS will continue to monitor its digital environment and, where necessary, will communicate through its official platforms.”

On 23 May 2026, Nullsec Nigeria, which previously operated under the name Anonymous Nigeria, posted links on a hacker forum to allegedly compromised data from two South African organisations.

It claimed the SARS data included names, email addresses and passwords used on official websites. The SITA link allegedly contained names, passwords, and the platforms used to access SITA services.

MyBroadband reported on Sunday that the breach did not appear to be legitimate after a South African cybersecurity researcher analysed the data.

“In my opinion, there is not enough information to confirm the SARS and SITA breach claims are real,” they said.

Nullsec doubles down

Nullsec Nigeria’s logo

Nullsec Nigeria told MyBroadband via the encrypted messaging service Session that the breaches were real and that it would not leak information belonging to South African citizens.

“They’ll deny it or find a way to fix the problem so fast it makes us look like fools. That data is the real data,” they said.

“All the documents which were from the hacks are based on ignorance of proper security. The government of South Africa must know those cheap games ain’t a game anymore.”

MyBroadband could not independently verify the breaches due to insufficient evidence from the Nigerian group.

SITA head of corporate affairs, Tlali Tlali, said the organisation’s ICT infrastructure had not been compromised and that its systems were fully intact.

Tlali explained that SITA’s security teams operate 24/7 and are equipped with monitoring and threat-detection capabilities.

“All systems have been tested and verified as fully operational, and no anomalies indicative of a cyberattack have been identified,” the organisation said.

SITA, which operates the South African government’s digital infrastructure, said that only one significant government organisation’s website was down at the time of its feedback to MyBroadband.

This was the website of the South African Police Service (SAPS), which we verified was inaccessible at various times on Saturday, 23 May, and Sunday, 24 May.

“We wish to clarify that the downtime of a website of that department is the direct result of a scheduled and planned maintenance window,” Tlali said.

Users visiting the SAPS website received a message that it was unreachable. Nullsec Nigeria posted that the site was “tango down” on its Telegram channel, leading to assumptions that it had attacked the site.

Last week, Nullsec Nigeria also claimed responsibility for breaching systems belonging to the Department of Correctional Services and posted links to alleged exfiltrated data.

At the time, the group said the hacks were part of a coordinated effort by multiple threat actor groups in a campaign dubbed #OpSouthAfrica.

The campaign aimed to attack South African government organisations amid the increased incidence of xenophobic attacks on foreign nationals in South Africa, including Nigerians.

“We’ll expose all your evil deeds for the world to see, unless this attack stops. But if not, we’ll leak everything they got,” the group said.

Show comments

Latest news

More news

Trending news

Poll

Which bank do you use for your day-to-day transactions?

View Results

Loading ... Loading ...
Sign up to the MyBroadband newsletter