Ransomware Attack Forces Land Bank to Seek Extension on Corporate Plan Submission
A significant ransomware cyberattack has crippled key systems at the Land Bank, rendering it unable to finalize and submit its mandatory corporate plan for the 2026/27 fiscal year by the statutory deadline of February 28. Finance Minister Enoch Godongwana formally notified Parliament of the delay, citing the incident as the direct cause and requesting an extension until April 30, 2026.
The corporate plan is a critical strategic document that public entities must table before Parliament ahead of the financial year, as required by the Money Bills Amendment Procedure & Related Matters Act. In a letter to National Assembly Speaker Thoko Didiza, Minister Godongwana stated the bank “is currently unable to access key systems and source information necessary to complete the Corporate Plan submission.” He further noted the breach has hindered compliance with the Public Finance Management Act (PFMA) and other governance frameworks.
Details of the Cyber Incident
The breach was discovered in late February when the Land Bank identified unauthorized activity on its IT infrastructure. Preliminary investigations, detailed by the minister, revealed the attack vector: a threat actor exploited a vulnerability on an internet-connected server. The attackers, identified as a ransomware-as-a-service group, deployed malware that encrypted portions of the bank’s server environment and several employee laptops.
According to the minister’s March written response to parliamentary questions, the attackers demanded a ransom of five Bitcoin—valued at approximately R5.4 million at the time—for the return of data and to prevent its publication. The Land Bank has categorically refused to pay and confirmed no ransom transaction occurred.
While the attack was extensive, a crucial safeguard held: the bank’s core Enterprise Resource Planning (ERP), core banking, and customer relationship management (CRM) systems were not accessed or compromised. However, the broader environment was encrypted or made inaccessible to IT staff and users, directly impacting the data compilation needed for the corporate plan.
Immediate Response and Regulatory Compliance
The Land Bank responded swiftly to contain the incident. Actions taken include:
- Isolating affected systems to prevent lateral movement.
- Removing signs of compromise and beginning data recovery efforts.
- Strengthening security postures by reconfiguring firewalls and patching identified vulnerabilities.
- Implementing strict transaction controls, requiring specific management authorization for all bank account activities.
Furthermore, the bank has complied with all statutory reporting obligations. This includes lodging a case with the South African Police Service under the Cybercrimes Act, notifying the Information Regulator on the day of the breach, and informing affected individuals whose data may have been compromised.
Parliamentary Scrutiny and Expert Analysis
The extension request has drawn attention from parliamentary oversight bodies. DA MP Wendy Alexander, a member of the standing committee on finance, acknowledged the minister’s transparency but emphasized the need for a fuller briefing. “The question for me now is: What is the delay to the development of the corporate plan, which is a strategic document?” she stated, indicating the committee seeks clarity on the full operational impact beyond the immediate system outage.
Legal and cyber risk experts contextualize the attack within a broader industry trend. Sandra Sithole (Partner) and Rethabile Shabalala (Senior Associate) at Webber Wentzel note that digital transformation in finance, while creating opportunity, has “led to increased risk of cyberattacks, fraud and data breaches.” They highlight a compounding challenge: economic pressures may force insurers to raise premiums to cover heightened cyber risks, potentially affecting consumer affordability.
Path to Recovery and Strengthened Defences
The Land Bank’s board has already approved a comprehensive implementation plan to enhance information security controls, aligned with industry best practices. This multi-faceted improvement plan will be rolled out gradually over the next six months. Minister Godongwana reiterated that while the attack caused severe disruption, the integrity of core financial systems remained intact, a critical factor in maintaining overall financial stability.
This incident underscores a stark reality for South Africa’s financial institutions: cybersecurity is not merely an IT issue but a fundamental component of operational resilience and statutory compliance. The Land Bank’s struggle to compile its corporate plan without access to vital source material serves as a case study in how digital infrastructure compromise can directly paralyze core governance and strategic planning functions.
