A Chatbot, A Motive, And Seven Million Records
- Johan Steyn

- 1 day ago
- 3 min read
The expertise that once stood between an attacker and your data has evaporated, and the threat has moved from the IT department to the boardroom.

Sign up for my Substack daily AI newsletter here.
See my AI Training course portfolio for corporate Business Leaders here.
Follow me on LinkedIn: https://www.linkedin.com/in/johanosteyn/
In December 2025, Tokyo police arrested a 17-year-old from Osaka who had used a program built with an AI chatbot to extract roughly 7.25 million customer records from Japan’s largest internet-cafe chain. The case made headlines around the world. It should have made boardrooms uneasy, because the lesson is not about one talented teenager. It is that the skill once required to mount a serious cyberattack is no longer required at all.
CONTEXT AND BACKGROUND
The clearer warning lies in the cases where the attacker truly had no expertise. In February 2025, three teenagers with no professional training used a chatbot to build a program that defrauded a mobile network, spending the proceeds on gaming console. More striking still, Anthropic disrupted a single actor who used its Claude Code tool to run a data-extortion campaign against at least 17 organisations in a month, with the AI automating reconnaissance, deciding what to steal, analysing victims’ finances to set ransom demands, and writing the ransom note. The company’s own conclusion is blunt: AI has lowered the barriers to sophisticated cybercrime, letting people with few technical skills run operations that once needed years of training.
INSIGHT AND ANALYSIS
This severs an assumption that has quietly underpinned corporate security for decades, that serious attacks require serious skill, and therefore that most organisations are too small, too obscure or too ordinary to be worth a capable attacker’s time. When the skill sits inside the machine, that protection disappears. Security researchers now describe a three-tier threat landscape, with a rapidly expanding bottom tier of low-skill actors wielding tools once reserved for nation-states. The arms race is not yet lost to the attackers. Anthropic notes that its model sometimes hallucinated credentials, which remains an obstacle to fully autonomous attacks, and AI assists defenders too. But the direction of travel is clear, and for South Africa it lands on already weak ground.
The local picture is stark. The Council for Scientific and Industrial Research estimates South Africa loses roughly R2.2 billion a year to cyberattacks, that more than half of South African companies are hit by ransomware annually, and that the average large data breach costs R53.1 million, all while AI hands sophisticated tools to small-time actors. South Africa is already the most-targeted country in Africa for ransomware, yet a majority of local firms lack in-house AI expertise to defend themselves. The barrier to entry for attackers has collapsed at precisely the moment defenders remain short of the skills to respond.
IMPLICATIONS
This is why cybersecurity has become a board matter rather than a technical one. South African financial institutions are already bound by the Prudential Authority and FSCA Joint Standard on Cybersecurity, which requires resilience capabilities, incident-response plans and the reporting of material incidents, while POPIA’s breach-reporting obligations continue to tighten. When an amateur with a chatbot subscription can do what once took an organised crew, “we are too small to be a target” is no longer a defence. It is a liability the board owns. Resilience, tested backups, incident planning and basic security hygiene are now fiduciary questions, not line items to be delegated and forgotten.
CLOSING TAKEAWAY
The Osaka teenager wanted, on an earlier occasion, nothing more ambitious than to fund a card-collecting habit. That is the unsettling part. The motives behind the most damaging breaches need not be sophisticated, because the tools no longer demand sophistication of their users. For a South African board, the task is not to panic but to stop assuming that obscurity is safety. The attacker no longer needs to be clever, which means the organisation can no longer afford to be complacent. The cheapest attacker you face is now also a capable one, and the only adequate response is to treat security as the leadership responsibility it has quietly become.
Johan Steyn is a prominent AI thought leader, speaker, and author with a deep understanding of artificial intelligence’s impact on business and society. He is passionate about ethical AI development and its role in shaping a better future. Find out more about Johan’s work at https://www.aiforbusiness.net



Comments