Password-Based Hacking: The Legal Implication For Businesses

by | Sep 10, 2025 | Privacy Law, Tech Law

 

Introduction

 

The prevalence of cybercrime in South Africa continues to rise, with password-based hacking emerging as one of the most common forms of attack against vulnerable and small businesses. Although frequently underestimated, the legal, financial, and reputational consequences of compromised credentials can be significant.

This article examines the legal framework governing password hacking in South Africa, its implications for small and medium-sized enterprises (SMEs), and the obligations placed on business owners to mitigate associated risks.

 

The Nature of Password-Based Hacking

 

Password-based hacking typically involves unauthorised access to computer systems, networks, or applications through compromised credentials, this may occur through brute force attacks, phishing, credential stuffing, or social engineering. Once access is obtained, attackers may manipulate digital assets such as email and social media accounts, financial platforms, or client databases.

For SMEs, whose cyber defences are often underdeveloped compared to larger corporates, password vulnerabilities pose a disproportionately high risk. In particular, the hijacking of social media or email accounts may enable cybercriminals to solicit funds fraudulently, disseminate defamatory or misleading content, or expose personal information, resulting in cascading legal consequences.

 

Applicable Legislative Framework 

 

Cybercrimes Act 19 of 2020

 

The Cybercrimes Act is the principal statute regulating unlawful access to computer systems and data in South Africa. Section 2 criminalises explicitly the intentional and illegal access to a computer system or computer data, which encompasses the use of stolen or unlawfully obtained passwords.

 

Electronic Communications and Transactions Act 25 of 2002 (ECTA)

 

Although partially superseded by the Cybercrimes Act, ECTA retains relevance in respect of electronic evidence and cyber liability. Section 86(1) criminalises unauthorised access to, interception of, or interference with data. Importantly, section 86(3) creates a presumption against individuals who possess devices or programs designed to overcome passwords or security measures, thereby broadening the scope of liability.

 

Protection of Personal Information Act 4 of 2013 (POPIA)

 

For businesses, POPIA creates direct compliance obligations. Where a password breach results in unauthorised access to or disclosure of personal information, the responsible party may be found non-compliant and therefore require adequate security safeguards and breach notification to the Information Regulator.

SMEs are particularly at risk of exposure here, as compromised social media or email platforms frequently store client data, photographs, or communications that qualify as personal information under the Act.

 

Liability and Risk for Small Businesses

 

From a liability perspective, SMEs face a dual risk:

 Direct harm caused by hackers, including financial losses or reputational damage.

 Regulatory and civil liability for failing to implement adequate safeguards, especially where client information is compromised.

The reputational harm associated with hijacked accounts can be immediate and irreparable, particularly for professional practices such as law firms, medical practices, and financial advisors. Furthermore, failure to implement basic cyber hygiene measures may expose SMEs to claims by clients or sanctions under POPIA.

 

Preventative Measures and Legal Compliance

 

While the legislative framework provides remedies against perpetrators, these are often reactive. Preventative compliance is therefore essential. SMEs should:

  • Implement strong authentication protocols, including two-factor authentication.
  • Conduct regular password audits and revoke outdated user permissions.
  • Train employees to identify phishing and social engineering attempts.
  • Develop incident response policies that comply with POPIA’s breach notification requirements.
  • Retain audit trails and access logs for evidentiary purposes in the event of litigation or prosecution.

    Conclusion

     

    Password-based hacking represents a significant and growing threat to South African SMEs. The Cybercrimes Act, ECTA, POPIA, and the common law collectively create a comprehensive framework to criminalise and regulate such conduct. However, the burden on businesses is equally clear: proactive compliance and risk management are not optional, but legally and commercially essential. SMEs that fail to secure digital credentials not only expose themselves to cybercriminals but risk regulatory censure, civil liability, and reputational collapse.

    For further assistance, consult an attorney at SchoemanLaw.

    SchoemanLaw Inc
    Powered by  GDPR Cookie Compliance
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.