MTN Group has confirmed that the cybersecurity incident the company disclosed last week and which affected the personal information of its customers in “certain markets” led to a demand from the attackers.
The specific markets affected by the attack have not been detailed, but MTN has confirmed to TechCentral that South Africa’s Information Regulator has been notified of the incident, suggesting customers in the pan-African operator’s home market are among those affected.
“For the customers we are notifying in affected markets, we believe that the personal information potentially accessed may include some limited contact details, such as names, surnames and mobile numbers,” an MTN spokeswoman said. “The investigation is still ongoing, but we can confirm that the threat actor has made a demand.”
The nature and quantum of the demand has not been disclosed. MTN said the ongoing nature of the investigation limits the amount of information it can share, but affected customers will be receiving more detailed letters in line with regulatory and legal requirements.
The attack on MTN’s digital infrastructure may be setting a worrying trend for South Africa’s telecommunications sector. In January, Cell C was hit by a ransomware attack. A group called RansomHouse was later identified by TFI, a cybersecurity and telecoms research company, as the perpetrator of that attack.
MTN said its investigation into its incident continues in collaboration with “relevant law enforcement agencies”.
Highly targeted
According to a report by cybersecurity specialist Check Point Software Technologies, Namibia’s state telecoms company, Telecom Namibia, was hit by a ransomware attack in December 2024. The ransomware group Hunters International was identified as the perpetrator that stole more the 600GB of customer data in the attack.
Check Point data shows that the telecoms sector is among those with the highest number of attacks in South Africa. In the last six months, there was an average of 1 062 weekly attacks on organisations in the sector, according to Check Point.
Read: SAPS cannot fight cybercrime on its own
Attacks on telecoms companies are not limited to the developing world. In February, NTT Communications, the Japanese telecoms giant, discovered a data breach that compromised more than 17 000 customer profiles. In March, Swiss telecoms provider Ascom was hit by a cyberattack affecting its ticketing system, leading to 44GB of data being stolen. And in April, cybersecurity researchers identified an espionage operation by Weaver Ant targeting various telecoms firms throughout Asia, said Check Point.
Despite MTN’s assertion that the data stolen in the breach is limited to contact information while core systems such as billing and mobile wallets seemingly remain unaffected, the stolen data can still be exploited by the hackers to take advantage of the parties affected.
Hendrik de Bruin, head of security consulting for Southern Africa at Check Point, said the stolen data could be used to perpetrate other crimes, including identity theft, where the information is used to apply for credit and other similar activities.
Attackers holding partial user information can also use it in a phishing attack, where they use what they already know about the customer to convince them that they are a trusted party like their bank to gain access to more sensitive information such as banking app logins or one-time Pins.
MTN has advised its customers to keep their MTN, mobile money and banking apps updated, and to use strong, unique passwords for their accounts and change them regularly. Users have also been advised to be aware of suspicious calls or links sent via SMS or e-mail.
Read: MTN Group hit by ‘cybersecurity incident’
“Africa is a massive consumer of mobile networks, phones and applications. According to the GMSA Mobile Economy sub-Saharan Africa 2024 report, there were an estimated 527 million mobile phone subscribers in 2023. This is expected to grow to 751 million by 2030. Almost every adult has a mobile device, which makes telecoms providers across Africa valuable targets for cyberattacks,” said De Bruin. – © 2025 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.
- This article has been updated to reflect the fact that MTN has not disclosed whether or not the incident was a ransomware attack