Johannesburg – South Africa’s statistical agency, Stats SA, has confirmed a data breach impacting its human resources database, and is facing a ransom demand of R1.7 million from a hacker group known as XP95. The group claims to have exfiltrated 154GB of data, including private and personal information, and is threatening to release it if the demand is not met. Stats SA has stated it will not comply with the ransom request, citing legal constraints and a commitment to protecting state financial resources.
The breach comes amid a global surge in ransomware attacks, and highlights the increasing vulnerability of critical infrastructure to cybercrime. The incident raises concerns about the security of sensitive data held by government entities and the potential impact on citizens. The agency, responsible for collecting and disseminating crucial economic and social data, is working with authorities to investigate the breach and mitigate any potential harm. This report from ITWeb first detailed the incident.
What is Known About the Breach
According to a statement released by Stats SA, the compromised system is specifically the online HR portal used by job seekers. The agency emphasized that the breach does not affect its core statistical databases, which contain the official data used for policy-making and economic analysis. However, the compromised HR data could still include personal information submitted by applicants, such as names, contact details, and potentially identity numbers.
XP95, the group claiming responsibility, is described as an emerging cybercriminal entity gaining attention for its involvement in targeted attacks, data breaches, and alleged digital espionage. Even as relatively new on the scene, their activity signals a growing sophistication in cybercriminal tactics. The group is also claiming responsibility for a separate data breach at the Gauteng City Region Academy, a provincial government entity focused on skills development, demanding an identical R1.7 million ransom for 147GB of data allegedly stolen from that organization. As of publication, the Gauteng City Region Academy had not responded to requests for comment from ITWeb.
Stats SA’s Response and Legal Framework
Stats SA has firmly rejected the ransom demand, stating that payment would be in violation of the Public Finance Management Act (PFMA). The agency has notified the Information Regulator, the independent body responsible for enforcing data protection laws in South Africa, and will cooperate fully with their investigation. “Stats SA will not pay any ransom,” the agency stated. “Deployment of state financial resources is done in line with PFMA. Stats SA will notify the Information Regulator and will be guided by their processes.”
The PFMA governs the financial management of national and provincial government departments and requires strict adherence to budgetary controls and accountability. Paying a ransom would likely be deemed an unlawful expenditure. The agency’s decision underscores a growing trend among government entities to refuse to negotiate with ransomware attackers, recognizing that such payments incentivize further attacks and do not guarantee the recovery of data.
Broader Trends in South African Cybersecurity
The attacks on Stats SA and the Gauteng City Region Academy are part of a broader pattern of escalating cybercrime targeting South African organizations. Last week, Liberty, a major insurance and financial services firm, disclosed a data breach that exposed the personal information of its customers. These incidents highlight the increasing sophistication and frequency of cyberattacks in the country, and the need for enhanced cybersecurity measures across all sectors.
Doreen Mokoena, founder and CEO of Cybersec Clinique, a South African cybersecurity firm, explained that multiple breaches in quick succession often indicate underlying vulnerabilities in an organization’s IT infrastructure. “Two breaches in rapid succession often point to deep technical debt in legacy systems, especially when public portals still expose outdated infrastructure or unpatched services,” Mokoena said. She added that a successful initial response focused on system restoration, rather than complete threat removal, can leave organizations vulnerable to repeat attacks. “Persistent access, stolen credentials and poor log visibility allow threat actors to walk back in,” she noted.
What Can Be Done?
Mokoena emphasized the importance of proactive cybersecurity measures, including continuous monitoring, identity-centric security, and robust incident response planning. Organizations must assume they have already been compromised and implement measures to detect and respond to threats effectively. This includes regular security audits, vulnerability assessments, and employee training on cybersecurity best practices.
The Information Regulator is expected to launch a full investigation into the Stats SA breach, and will likely issue guidance on how the agency can strengthen its cybersecurity defenses and protect the personal information of job seekers. The investigation will also assess whether Stats SA was compliant with the Protection of Personal Information Act (POPIA), South Africa’s data protection law.
The agency has not yet released details on what specific steps We see taking to notify affected individuals or offer support services. However, it is expected to provide further updates as the investigation progresses. The incident serves as a stark reminder of the importance of data security and the need for organizations to prioritize cybersecurity in an increasingly digital world.
Stats SA is expected to provide an update on the investigation and remediation efforts within the next two weeks. The Information Regulator will also be conducting its own independent assessment and will release its findings in due course. We will continue to follow this story and provide updates as they become available.
Have your say. Share your thoughts in the comments section below.
