South Africa’s national statistics office has confirmed a cyber security breach targeting its human resources database, with a hacking group demanding $100,000 (R1.7 million) in ransom and threatening to release 154 gigabytes of stolen data if payment is not made by 20 April 2026.
The group responsible, known as XP95, claimed on the messaging platform Telegram that it had accessed 453,362 files from Stats SA’s online job application system — a portal used exclusively by members of the public applying for positions within the organisation. Stats SA confirmed the breach was confined to that HR platform and said its core statistical operations and data collection systems were not affected. The agency said it would not pay the ransom, citing compliance requirements under the Public Finance Management Act, and confirmed it would notify the Information Regulator and follow prescribed regulatory processes.
XP95 is a relatively new entrant to the cyber-extortion space, having first emerged in March 2026. Its interface mimics the visual design of legacy Microsoft operating systems — specifically Windows XP and Windows 95 — and its name appears to be a combination of those two defunct platforms. The group had previously claimed responsibility for a separate breach of the Gauteng Provincial Government, alleging it had obtained 3.8 terabytes of data containing 3.6 million files, which it offered for sale at $25,000 (R429,000). The breach of the Gauteng City Region Academy — a provincial skills development entity focused on bursaries, internships and learnership programmes for students from disadvantaged backgrounds — was also claimed by XP95, with the group alleging it had obtained a further 147 gigabytes of data and issuing an identical $100,000 ransom demand. The academy had not responded to queries at the time of publication.
The successive attacks on government entities point to a pattern of escalating targeting of South Africa’s public sector digital infrastructure. South Africa ranked 27th globally among the most breached countries in 2025, reflecting persistent gaps in public sector cyber security despite years of warnings from the country’s information regulator and private sector security practitioners. Cybersecurity expert Doreen Mokoena, founder and chief executive of Cybersec Clinique, said two breaches occurring in rapid succession against government systems typically points to deep technical debt in legacy infrastructure — particularly where public-facing portals expose outdated or unpatched services. Mokoena noted that when attackers return to an environment weeks after an initial breach and successfully extract additional data, it usually indicates that the initial incident response focused on restoring systems rather than fully removing attacker access, leaving persistent credentials and poor log visibility in place.
Data breaches have cost South African organisations more than R360 million over the past three year — a figure that does not account for the reputational and operational costs of incidents affecting government bodies whose primary function is producing the economic and demographic data that underpins national planning, business investment decisions and policy formulation. Stats SA is responsible for key statistical releases including consumer price inflation, GDP, employment figures, population census data and living conditions surveys. A compromise of systems adjacent to that core function — even if the breach itself was confined to HR data — raises questions about the adequacy of the broader security perimeter around the agency’s infrastructure.
The incident follows a disclosure by insurance and financial services group Liberty last week, which confirmed a data breach exposing personal customer information — a second high-profile breach within days that has drawn attention to the systemic exposure of both public and private sector institutions. Stats SA has confirmed it is operating as part of a broader government-wide response to cyber security incidents, indicating that the breach is being managed at an intergovernmental level rather than by the agency in isolation. No timeline for the conclusion of that response has been provided, and the agency has not disclosed how many individuals’ personal information was contained within the compromised HR database.