SARS Refutes Breach. Now Calm Your Clients.

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

Over the weekend of 24 to 25 May, social media posts and online reports claimed that both SARS and the State Information Technology Agency (SITA) had been hacked. By Monday afternoon, SARS had publicly denied it. You are now the calm voice in a noisy room.

What SARS actually said

On 25 May 2026, SARS issued a media release titled SARS refutes false claims of a data breach. The revenue service said the claims circulating online were false and unsubstantiated, that it continuously monitors its systems for suspicious activity, and that it had conducted a thorough investigation in response to the weekend reports. SARS stated that the protection of taxpayer information and the security of its digital platforms is "sacrosanct and a core responsibility".

SARS also urged the public to verify information before sharing it, to stop circulating unverified claims, and to avoid relying on unofficial sources. SITA issued a similar statement denying any compromise of its own systems.

In plain terms: there is no evidence of a breach. eFiling, the SARS Online Query System (SOQS), the Traveller Management System, and the SARS Mobile App continue to operate normally.

Why this still matters for your practice

Two things happen the moment a "SARS hack" rumour starts circulating, and both land on the accountant's desk.

First, your clients panic. Most cannot tell the difference between a verified news report and a forwarded screenshot. They do not know who to call. They will call you.

Second, scammers move. A rumoured breach is the perfect cover story for the next wave of phishing. Expect a spike in emails and SMSes claiming to be "SARS verification" or "urgent eFiling re-authentication", with links that look identical to SARS's own pages. CIBA flagged exactly this pattern in Phishing Scams and Fraud: Why Accounting Firms Are in the Crosshairs. The article shows how fake SARS portals using real SARS colours, fonts, and wording are now one of the fastest-growing threats hitting South African accountants and their clients.

The wider context does not help. SARS itself has flagged a sharp rise in fraudulent activity on eFiling accounts in recent years, and CIBA has previously covered a SARS Letter of Demand phishing scam and a general SARS impersonation alert. The breach rumour is the trigger. The fake emails are the real risk.

What to do this week

Five practical moves for any CIBA member in practice.

1. Send a short proactive WhatsApp or email to your client base. State plainly that SARS has confirmed no breach has occurred, that eFiling remains secure, and that no client action is needed. Tell them to ignore any message claiming "verification required" or "account suspended due to breach". Add: forward anything suspicious to you before clicking. One message now beats fifty panicked replies later.

2. Re-issue your phishing checklist. SARS will never send a link asking for login details, banking details, or an OTP. SARS communicates inside the eFiling portal and via the official SARS app. Any email or SMS asking for credentials is a scam, no matter how legitimate it looks. Suspect mails should be forwarded to phishing@sars.gov.za.

3. Check your own eFiling profile security. Multi-factor authentication on, OTPs going to a number you actually control, and no shared logins between partners or staff. If a junior left in the past 90 days and you have not rotated the passwords on their tax practitioner profile, do that today.

4. Confirm your POPIA incident response plan exists and is current. Whether the next breach is real or rumoured, the Information Regulator expects accountable institutions to have a documented response plan covering containment, notification, and remediation. CIBA's guide on how to plan for a cybersecurity incident is the starting point, and reviewing it now is cheaper than building it under pressure.

5. Add cybersecurity hygiene to your client onboarding. Filing season opens in July. If a client compromises their eFiling profile because of a phishing scam, the consequence still lands on your desk. A 30-second reminder in your onboarding pack on what SARS will never ask for is a small investment with a very large downside avoided.

The bottom line

The breach was rumour, not reality. The response from your clients is real, and so is the wave of phishing that will follow. The practitioners who get ahead of this with a 30-second message and a 5-minute security check will look like the professionals they are. The ones who wait for the first compromised client will spend the rest of the week unwinding the damage.