Notice in terms of section 22 of the Protection of Personal Information Act

Dear former Tharisa employee,

In December 2024, we detected and addressed a cybersecurity incident affecting certain ICT systems. As is often the case with cyberattacks of this nature, the individuals behind this malicious activity remain unidentified. We are actively collaborating with law enforcement in response. This notice serves to inform you that certain personal information in South Africa that was provided to us during the course of your relationship with the company may have been exposed.

Potentially Affected Information

The personal information that may have been accessed includes, where applicable:

• Name
• ID or passport number
• Contact details
• Employment history

Actions Taken

As soon as we became aware of the incident, we activated our Incident Response Plan, immediately isolated affected systems, and engaged leading cybersecurity and forensic experts to assess the impact and contain the breach. While the situation has been effectively contained, we remain vigilant and are implementing additional measures to strengthen our system security. We have also notified the South African Information Regulator and are working closely with relevant authorities.

Protect Yourself

To help safeguard your personal information, we recommend the following precautions:

• Be cautious of any unsolicited requests for personal information.
• Consider placing a fraud alert on your credit report with major credit bureaus.
• Register for a Protective Registration with the Southern Africa Fraud Prevention Service (www.safps.org.za).
• Regularly update passwords and avoid using the same password across multiple accounts.
• Do not click on suspicious links or download attachments from unknown sources.

We regret any inconvenience this incident may cause and appreciate your understanding as we continue to address the matter. Should you have any questions or require further information, please contact Secretarial@tharisa.com.