By Vicky Sidler | Published 4 December 2025 at 12:00 GMT+2

In good news for South African business owners, data breaches have dropped. In Q3 2025, just over 100,000 accounts were breached, compared to nearly 623,000 in Q2. That’s an 83.9% drop. Someone in IT probably got a high five and a cupcake.

But before you let your guard down, Surfshark’s latest research comes with a warning: even small leaks are now a big deal. Artificial intelligence has made it easier, faster, and cheaper for hackers to turn minor leaks into serious attacks.

And that’s the real headline. The danger is not the number of breaches. It’s what people can do with the data once it’s out.

TL;DR:

• South Africa saw a big drop in data breaches in Q3 2025

• AI tools now help hackers weaponize even small leaks

• Leaked names, emails and addresses can become personalised scams

• 68% of South Africans have already been breached

• One in two victims face password-related risks

👉 Need help getting your message right? Download the 5 Minute Marketing Fix.

Table of Contents:

AI Is Making Basic Data Way Too Useful:

According to Surfshark’s Senior Product Manager Sarunas Sereika, exploiting data used to require some real skills. Now, thanks to AI, a low-level scammer with no coding experience can turn leaked emails and addresses into a phishing operation that looks like your mom designed it just for you.

Let’s say your email and phone number got leaked in a breach. Nothing sensitive. No credit card, no ID number. Just your name, your Gmail, and your old Telkom number. Sounds harmless, right?

With AI, that small leak becomes a tailor-made scam. Think fake invoices from tools you actually use. WhatsApp messages that sound like your suppliers. Browser ads that look like your own client dashboard. It’s like digital identity theft with a personal touch.

SA Breaches Are Down, But We’re Still Exposed:

The overall breach numbers are lower this quarter. Globally, account leaks fell 22.3%. In South Africa, we dropped from five to one breach per minute. That’s good. But here’s the problem. We were starting from a bad place.

South Africa ranks second in Africa for total breaches since 2004. Over 43 million local user accounts have been compromised. That includes 12.8 million unique email addresses and nearly 23 million passwords.

Statistically, 68 out of every 100 South Africans have already been caught in a breach. That means the chances your business email has been compromised are fairly high. If you’re reusing that password across accounts, the risk just doubled.

And if that leaked account is connected to your website, CRM, bank login or customer database? Now we’re not just talking about fake invoices. We’re talking about full-on data exposure and reputational damage.

What Counts As a Breach Anyway?

A data breach is when private user information is accessed or exposed without permission. That might include emails, passwords, IP addresses, phone numbers, home addresses and more.

In Surfshark’s study, every leaked email counts as one breached account. Some leaks include just the email. Others come with additional details, like location data or login credentials. The more details included, the more dangerous the breach.

The leaked data used in this study was collected from 29,000 public databases and then anonymised before analysis. Countries with populations under one million weren’t included.

Global Context: South Africa Isn’t Alone:

Worldwide, France took first place this quarter with over 15.5 million breached accounts. Germany and the US tied for second. Canada, India and the UK were also high on the list. South Africa ranked 36th out of all countries.

Europe was the most affected region overall, contributing 40 percent of all global breaches. North America and Asia followed closely behind.

The takeaway? This is not just a local issue. Businesses everywhere are dealing with the same threats. But in countries like South Africa where digital infrastructure is still patchy and cyber hygiene is low, the risks are higher.

What South African Business Owners Should Do:

You don’t need to be a cybersecurity expert. But you do need to cover the basics. Here’s a quick checklist that could save you a lot of grief:

1. Use a Password Manager:

Never reuse passwords. Especially not for business logins. Use a password manager that creates and stores strong, unique passwords for every platform.

2. Turn on Two-Factor Authentication:

If a hacker gets your password, they still need your phone. This tiny step can stop most attacks.

3. Watch for Phishing:

Double check emails and messages that look slightly off. Urgent payment requests, slightly misspelled domains, or unfamiliar invoice links are classic red flags.

4. Educate Your Team:

Scams are getting more believable by the week. Make sure your staff knows how to spot suspicious emails, links, and login requests.

5. Check if Your Data Was Breached:

Use Surfshark’s data breach monitoring tool or HaveIBeenPwned.com to check if your email address is already compromised.

AI Isn’t the Enemy, But It’s Not Your Friend Either

AI is like that very charming intern who looks great on paper but also once deleted your whole client folder because they misunderstood “archive.”

It’s a powerful tool. But in the hands of someone with bad intentions, it speeds up the damage. Think less "Terminator" and more "superfast scammer who actually knows your name and where you live."

So even if breach numbers are falling, the cost of ignoring them is rising.

A Final Word on Trust

For small business owners, trust is everything. When clients hand over their information, they expect you to keep it safe. One breach can shatter that. And in a world where reputations are made and destroyed online, fixing the damage isn’t just expensive. It’s exhausting.

Clarity builds trust. Confusion creates risk. That goes for your marketing too.

If your message is unclear or your brand seems sketchy, clients won’t trust you. And if scammers sound more like you than you do, you’ve got a problem.

If you want support creating a message that builds trust, start with my 5 Minute Marketing Fix. It will help you write one clear message that instantly builds trust with your audience.

👉 Download it free here.

Related Articles:

1. Small Businesses Are Being Targeted—Here’s What Cybersecurity Stats Say in 2025

If today’s article made you rethink your data security, this one backs it up with stats showing why small businesses are now prime cybercrime targets.

2. AI Fraud Crisis Warning—What Small Biz Must Do Now

If you’re worried about scammers using AI, this article explains exactly how fraud tactics are evolving—and what to do before they hit your business.

3. AI Hallucinations in Court—Big Trouble for Legal Trust

Even lawyers are falling for fake AI-generated content. This piece shows how misinformation spreads—and how to protect your business from making similar mistakes.

4. AI Can’t Replace Expertise—Tea Data Breach Proves It

A dating app’s massive data leak reminds us why security needs human oversight. This one’s a short, sharp lesson in getting the basics right.

5. Risks and Artificial Intelligence: What Small Businesses Must Know

Want the big picture? This article breaks down the real risks of using AI tools—from data leaks to trust loss—and how to stay smart about adoption.

Frequently Asked Questions About AI and Data Breaches in 2025

1. Is it true that South African data breaches have decreased?

Yes. In Q3 2025, South Africa saw an 83.9% drop in breaches compared to the previous quarter. But fewer breaches doesn't mean less risk. AI is making smaller leaks more dangerous.

2. Why are small leaks still dangerous if no passwords or IDs are included?

Because AI tools can now combine leaked names, emails, and phone numbers to create highly personalised scams. Even basic data can be used to impersonate your suppliers, customers, or platforms.

3. How many South Africans have been affected by data breaches?

Surfshark’s data shows 68 out of every 100 South Africans have had their information leaked. Since 2004, over 43 million local user accounts have been breached.

4. What kind of information is typically exposed in a data breach?

Leaked data can include emails, passwords, phone numbers, zip codes, IP addresses, and even location data. Some leaks are minimal. Others are complete identity kits.

5. How does AI make data breaches more dangerous?

AI tools let scammers quickly process and use leaked data. That means more believable phishing emails, fake invoices, or impersonation attempts—without needing coding or hacking skills.

6. Is this just a South African problem?

No. In Q3 2025, global breach numbers reached over 90 million. France, Germany, the US, India, and Canada were the most affected. South Africa ranked 36th.

7. What’s the best way to check if my business email has been breached?

You can use tools like HaveIBeenPwned or Surfshark’s Data Breach Monitoring Tool to check if your email has been compromised.

8. What’s the first step to protect my small business?

Start by using a password manager, enabling two-factor authentication, and educating your team on how to spot phishing attempts. Those three steps alone block a lot of threats.

9. Should I be worried if my personal email was breached, not my work one?

Yes. If your personal email is connected to work tools or reused for logins, it can still put your business at risk. Hackers often test logins across platforms using leaked data.

10. How can clear messaging help with data security?

Scammers thrive on confusion. If your brand messaging is unclear or inconsistent, it’s easier for imposters to trick your customers. A clear, trustworthy message makes phishing attempts easier to spot—and less effective.

👉Download the 5 Minute Marketing Fix to tighten up your messaging and make sure your clients know what’s real.