-
Massive Data Theft, hackers stole over 450,000 files from Stats SA’s HR system and are demanding a ransom to prevent public release of the stolen data.
-
XP95, a recently emerged hacking group, has claimed it hacked into the Gauteng Provincial Government earlier this month.
-
There have been more than 124 million compromised identities from attacks in South Africa over the past decade, making it the top African country to have received the most attacks on cyberspace.
Statistics South Africa, a government organization responsible for presenting its official census data as well as employment statistics and economic indicators, now confirms that it has been the victim of a ransomware attack.
The hackers are requesting $100,000 (approximately R1.7 million) as a ransom not to release 453,362 files online that they previously stole from the government agency.
This attack on Statistics South Africa is the second high-profile attack on a South African government organization within the last month, casting considerable doubt on the protection of South African public sector data from cyberattacks.
XP95, which stands out as the group that launched the attack, is a cybercrime group that first appeared in March 2026. Also, it received credit for previously attacking the Gauteng Provincial Government.
What Happened and Who is Behind the Attack
A hacking group – known as XP95 – has revealed that it was responsible for breaching an unknown Stats SA server, taking 453,362 files, amounting to 154GB of data. Also, they have posted samples from the stolen information on their dark web leak site to prove their claims. The postings comprise information from a Human Resource file server, which contains the private details of applicants and employees.
According to a statement made by Acting Deputy Director General Semakaleng Thulare, Stats SA has confirmed the attack. Thulare noted that the compromised database was an online job application HR database and that they are currently working with government Cyber Security Agencies and Law Enforcement to investigate the incident.
XP95 stated in their ransom note that if the organization fails to pay their ransom by April 20, 2026, they will post the entire data archive online.
Why This Breach Matters for Ordinary South Africans
Stats SA collects, collates, and manages some of the most sensitive data from the government. Besides employment data, the company handles other data aspects, including household surveys, census data, demographic data, economic data, and personal information such as names, addresses, identity numbers, etc. Some people can sometimes re-identify even anonymized data with other denominated datasets.
For ordinary South African citizens, this breach highlights the fact that their private information is vulnerable when the responsible organization stores it at government institutions. Those who have applied for jobs via Stats SA’s online job portal or responded to recent statistical surveys will face some serious risk.
The Information Regulator will receive a notification to guard against the risk of identity theft. Experts are recommending that South Africans maintain online safety processes, routinely check their bank accounts, watch for any unusual activity, and be wary of receiving unsolicited emails and/or phone calls asking for any of their personal information during the next few months.
Growing Cybercrime Problem in South Africa
The growth of cybercrimes in South Africa has become a significant concern for authorities. Cybercriminals attacked South Africa more – in terms of actual victims, than any other African country so far.
According to Surfshark’s 2025 Cybercrime Data Report, South Africa had lost 369,600 accounts to cybercriminals between April and June last year, a number which is over three times greater than any other African country within the same period.
The report estimated that the attacks have affected three per 100,000 people in the country. Additionally, within the past 10 years, over 124 million South Africans have suffered a compromise of their private data.
XP95 stands out as a group that utilizes data theft and blackmail tactics frequently, the process of “double extortion”. In this method, XP95 first obtains sensitive data and then threatens to make that data publicly available or sell the said data if the victim fails to make a ransom payment.
According to cybersecurity experts, government agencies that maintain large amounts of citizen data are enticing targets for criminals, as they may obtain access through illegal means to open authentic trust accounts or commit identity fraud.
The Interpol-led arrests of 574 suspects across Africa demonstrate that law enforcement is taking these threats seriously, but as the Stats SA breach shows, much work remains to protect citizen data from the growing wave of cybercrime targeting the continent.
