Standard Bank Confirms 1.2 TB Breach Exposes Card Numbers, CVV Safe

**TL;DR** Standard Bank confirmed a 1.2 TB data breach that exposed credit‑card numbers and expiry dates for a limited number of customers; CVV codes were not compromised and core banking systems remained operational.

**Context** On 27 February 2026 attackers gained unauthorized access to Standard Bank’s internal servers and began exfiltrating data. The intrusion was first noticed when the Prinz Eugen ransomware leak portal published a timeline showing a three‑week campaign that also targeted Liberty. The bank disclosed the incident on 23 March after securing the environment and launching an investigation with external experts.

**Key Facts** - Approximately 1.2 terabytes of data were copied from administrative and document‑filing systems. - The exposed data set includes customer names, addresses, emails, phone numbers, South African ID numbers, driver’s licence numbers, passport numbers, credit‑card numbers and expiry dates, plus employee and transactional records. - CVV numbers were not part of the stolen data. - Standard Bank said its banking, transactional and core operating systems were not accessed, remain secure and are fully operational. - The bank is directly contacting affected customers and issuing replacement cards as a precaution. - Investigations are ongoing and the incident has been reported to regulators and law‑enforcement.

**What It Means** The breach shows how attackers can harvest large volumes of non‑financial personal data while avoiding the most sensitive card verification value. Although the core banking platform was untouched, the stolen PII enables identity‑theft and phishing campaigns. Defenders should review privileged‑access controls, enforce multi‑factor authentication, and segment administrative file servers from the network. Monitoring for unusual outbound transfers (MITRE ATT&CK T1041) and detecting credential‑theft techniques (T1078) can help catch similar activity early. Attackers likely used valid accounts (T1078), command‑line scripting (T1059) and staged data in compressed archives (T1560.001) before exfiltration. Applying current patches for known vulnerabilities (e.g., CVE‑2021‑34527 PrintNightmare) and enabling data‑loss‑prevention rules reduce exfiltration risk. Organizations should also test incident‑response playbooks and maintain offline backups.

**What to watch next** Regulators may issue fines or guidance based on the breach’s scale, and additional data dumps could appear on leak sites, prompting further customer notifications and potential fraud attempts.