The Breach is in the Database

Key Takeaways

• The extraction point, not the entry point – Security investment concentrates on the perimeter and the endpoint, but the data leaves from the database – the one layer most often left unmonitored.
• Same layer, every sector – The breach pattern spans real estate, telecoms, government, healthcare, and financial services – but the point of extraction converges on the same ungoverned destination: the database.
• A residency, not a raid – At 241 days to identify and contain a breach, attackers are not smashing and grabbing. They are mapping schemas, extracting in controlled batches, and building persistent access at leisure.
• Governance debt, not zero-day exploits – The recurring failure mode is not sophisticated attack craft. It is accumulated misconfiguration: standing privileges, default credentials, and access rights that were never reviewed.
• The regulator asks what you can prove – POPIA enforcement has moved from advisory to penalty, and the question is whether active visibility existed before the breach, not after.

At the pace recorded in the most recent reporting period, South African organisations are experiencing a data breach every three hours. The Information Regulator recorded 2,374 formally reported incidents in the 2024/25 financial year – and the figure rose a further 40 percent in the months that followed. In the financial sector alone, the average cost of a single breach has reached R70.2 million.

Security budgets are increasing, awareness is rising, and the regulatory environment is tightening in ways that carry real financial and personal consequence. The frequency of breaches is not falling. The question that warrants more attention is not how much is being lost. It is where, specifically, the losses are originating.

The answer, examined across a consistent body of breach evidence, points to the same layer. Not the perimeter, where most security budgets are concentrated. Not the endpoint, where detection tooling is most mature.

The database is where the extraction happens – the specific part of the enterprise stack that carries the data every other investment is designed to protect. And in many of the most consequential breach events of the past twelve months, there was no monitoring layer in place to observe any of it.

Wrong Address

Enterprise security investment concentrates on the visible: firewalls, endpoint protection, email filtering, identity and access management at the perimeter. The investment reflects genuine discipline and genuine expertise. What it does not address is what lies behind the perimeter.

Data does not live at the edge. It lives in the database. When a breach results in the exposure of client records, financial histories, health information, or personal identifiers, the access path typically runs through the network or a compromised credential – but the point of extraction is the database. The network provides the route in. The database is the destination, and it is there that the most consequential access occurs and the most sensitive data is extracted.

Governing the route without governing the destination is the structural gap that South Africa’s breach record continues to expose.

Unguarded Layer

What stands out in the significant breach events of the past six months – locally and internationally – is not the sophistication of the attacks. It is the repetition of the same preventable failure modes, and the consistency of the layer they exploit.

In South Africa’s incident record, the pattern spans the economy: real estate, telecoms, government, healthcare, financial services. Client contact details, identity numbers, financial records, medical histories, employment and applicant data – held across systems trusted with it, and extracted in volumes that were anything but small.

In several of these cases the breach was not discovered through internal detection at all. It surfaced through external notification – a security researcher, a third party, or, in the worst cases, through the data appearing elsewhere entirely. The organisation learned it had been breached from outside its own walls.

The global record matches. An unprotected database deployed without authentication controls exposed more than 184 million credentials in a single incident. IBM’s 2025 Cost of a Data Breach Report found organisations took an average of 241 days to identify and contain a breach. The Verizon 2025 Data Breach Investigations Report identified credential abuse and vulnerability exploitation as the two leading initial access vectors – both far more containable when the database layer carries active security governance, and far more damaging when it does not.

Consider what 241 days represents in practice. An attacker operating inside a database estate with no monitoring layer does not need to rush. They map the full schema at leisure, identifying what data exists, how tables relate, which records carry the highest value. They extract in small, controlled batches that generate no volume alerts. They create persistent access mechanisms – additional accounts, modified credentials – that survive a routine password reset. They return repeatedly over weeks and months, refining what they take.

The misconfiguration problem compounds this in ways specific to the database layer. Most enterprise database environments carry security debt accumulated over years of growth and operational change. A service account is granted DBA-level privileges for a temporary deployment and never reviewed. Default credentials stay on databases that moved from test into production without a formal security handover. Access rights are provisioned when an employee joins, extended as their responsibilities grow, and never reduced when their role changes or they leave.

None of these are obvious attack surfaces – each permission exists legitimately in the system. Without active governance at the database layer, there is no mechanism to distinguish the authorised use of those rights from their abuse.

On Your Watch

When a breach hits a database under your governance, the question the Information Regulator will ask is not whether the perimeter was defended. It will be whether you had active visibility into what was happening at the data layer – whether monitoring existed, whether access was governed, whether you can account for what was accessed and when.

Active visibility at the database layer is a specific practice, not a general aspiration. In its mature form it carries four disciplines.

The first is continuous monitoring of database activity itself – who is accessing what, from where, at what time, and against which objects. Not the activity of the application in front of the database, and not the network traffic on the wire, but the queries and administrative actions executed against the data estate. Without that telemetry, the 241-day average is the arithmetic of absence.

The second is governed privileged access. The database accounts that hold DBA-level rights are the ones capable of reading anything, extracting anything, and removing traces of having done so. Governance means those accounts exist in a reviewed, justified, time-bound form: who holds them, for what purpose, for how long, and with what approval. Standing privilege without expiry is the structural enabler of the slow, deliberate extraction pattern.

The third is vulnerability management specific to the database layer. Patch levels, configuration baselines, default credentials, exposed endpoints, deprecated protocols – tracked against the estate as a whole, not left to ad-hoc operational attention when a specific system breaks. The Verizon finding on vulnerability exploitation as a leading initial access vector is a database-layer observation being reported as a general one.

The fourth is the audit trail. A recorded, tamper-resistant log of what happened, available to produce on demand. The regulator’s question does not ask you what you think happened. It asks you what you can prove.

None of this is exotic. It is the operating discipline of a governed database estate – and it is the specific content of the question the Information Regulator will ask you.

Under POPIA’s current enforcement posture that question carries specific consequences: administrative penalties reaching R10 million, criminal liability for certain offences, and a notification obligation that requires you to report as soon as reasonably possible. The evidence of what happened needs to exist before you are asked to produce it.

South Africa’s regulatory environment has moved from advisory to enforcement. The direction of travel is toward less tolerance, not more. Governance at the data layer is no longer a best practice. It is an obligation with a measurable cost attached to its absence.

The Last Word

I have spent the better part of three decades working alongside South African organisations managing complex data environments. The breach data of the past twelve months does not read, to me, as a story of attackers growing beyond all reasonable defence. It reads as a story of databases left unobserved, vulnerabilities left unaddressed, and access rights left ungoverned at the layer that deserved governance most.

I have seen this up close, more than once. The cost is always higher than it needed to be.

Also See

> Database Security and Compliance with DB Shield
> Why Database Auditing Is No Longer Optional

By: Johan Lamberts