mybroadband.co.za
29.03.2026
By Jan Vermeulen
Statistics South Africa has become the latest government entity to fall victim to a ransomware attack by the emerging cybercrime group known as XP95.
The threat actors claim to have successfully breached the agency responsible for conducting South Africa’s census, as well as producing and disseminating other official statistics, like the Consumer Price Index.
It was established by the 1999 Statistics Act to produce comprehensive data about South Africa’s people, economy, and society to support informed decision-making by government and business.
According to XP95’s dark web leak site, the hackers have stolen 453,362 files totaling 154 GB of data from an unspecified Stats SA server.
The cyber-extortionists have demanded a ransom payment of $100,000 (R1.7 million) to prevent the public release of the stolen data.
Given their claim that it was a ransomware attack, it is possible that they left the breached server encrypted and unusable.
XP95 has set a 20 April 2026 deadline for the payment, after which the group threatens to leak the full archive online.
Based on the samples of the exfiltrated data, the hackers obtained another trove of personally identifying information from what appears to be a human resources file server.
This is similar to the attack by the same group on the Gauteng Provincial Government, which saw terabytes of personal data from what appeared to be job seekers put up for sale.
The XP95 group is a relatively new actor in the cyber-extortion space, having first emerged in March 2026 with a unique interface that mimics legacy Microsoft Windows operating systems.
“What makes XP95 stand out immediately is its leak site design,” cyber threat intelligence company DarkFeed said in an analysis published shortly after the group first emerged.
“It is a striking throwback, heavily mimicking an old desktop operating system interface complete with classic teal backgrounds, old-school folders, and a vintage taskbar.”
From the site design, it appears that the group’s name is an amalgamation of two old versions of Microsoft’s operating system: Windows XP and Windows 95.
“Stats SA is aware of a cybersecurity breach affecting one Human Resources database,” stated Semakaleng Thulare, acting DDG Statistical Support and Informatics.
“The system that was breached is exclusively the HR system available for job seekers to apply online.”
Thulare explained that the national statistics office is part of a wider government response to matters dealing with cybersecurity breaches.
“Stats SA will not pay any ransom. Deployment of state financial resources is done in line with PFMA. Stats SA will notify the information regulator and will be guided by their processes.”
Gauteng Provincial Government server breach
Screenshot of XP95 dark web leak site announcing the Stats SA breach and ransom
In the previous attack on Gauteng, the hackers claimed to have stolen 3.8TB of data and demanded a lower payment of $25,000 (around R420,000 at the time) for the release of the information.
However, in that case, the group was selling the data to third parties, rather than holding the sensitive information to ransom.
Cybersecurity experts have warned that South African government departments remain prime targets for ransomware gangs and other cybercriminals.
Orange Cyberdefense highlighted in its Security Navigator Report 2025 that cyber extortion remains a pervasive threat that is impacting organisations of all sizes and sectors.
Small and medium-sized enterprises faced a 53% rise in ransomware incidents last year, and 2025 also marked the largest ransom ever paid to a ransomware group: $75 million to Dark Angels.
“With the emergence of AI tools designed specifically for fraud, extortion, and impersonation, AI has enabled an increase in the volume and sophistication of extortion incidents across sectors,” Orange Cyberdefense stated.
“The impact of these attacks reaches beyond the immediate target, with disruptions cascading through supply chains and posing risks to larger companies.”
Orange Cyberdefense also observed growing cynicism, as criminals no longer avoid critical services such as healthcare.
“We need resilience-building strategies to counter these risks,” the company stated.
“This includes the implementation of robust recovery protocols and reliable backup systems to reduce downtime and data loss after an attack.”
Cell C, South Africa’s fourth largest mobile network operator, said on Wednesday morning that RansomHouse had unlawfully disclosed data after a security breach for which RansomHouse is claiming responsibility.
The operator, with 7.7 million subscribers as of February, was attacked in early November 2024 and RansomHouse acquired 2TB of data, which has been corroborated by files posted on the dark web, according to security company PFortner.
Data accessed included:
Full names and contact details (email, phone numbers)
ID numbers
Banking details (if stored for billing purposes)
Driver’s License Numbers
Medical Records (if supplied for closure of accounts on death of a family member)
Passport details
It is not clear how many people were affected.
The National Health Laboratory Service is the primary diagnostic service for 80% of the population, and no timeline for its restoration has been determined
South Africa’s National Health Laboratory Service (NHLS) was hit by hackers on Saturday, with the dissemination of lab results severely impacted.
