News
Statistics South Africa data breach: XP95 ransomware group targets HR database
BlogBreachesResourcesNews
Statistics South Africa data breach: XP95 ransomware group targets HR database

Statistics South Africa data breach: XP95 ransomware group targets HR database

UpGuard Team
UpGuard Team
March 31, 2026

Key facts: Statistics South Africa data breach

  • Date reported: March 29, 2026
  • Target entity: Statistics South Africa
  • Source of breach: Ransomware group XP95
  • Data types: HR database information, job seeker application files
  • Status: Confirmed; reported on March 29, 2026.
  • Severity: High; exposure of personal information belonging to job seekers and potential service disruption due to ransomware.

What happened in the Statistics South Africa data breach?

Statistics South Africa (statssa.gov.za) confirmed it was the target of a ransomware attack reported on March 29, 2026. The incident was attributed to a relatively new cybercrime group identified as XP95. According to reports, the attackers managed to infiltrate the agency's systems, specifically targeting an HR database used by job seekers to apply for positions online. The threat actors claim to have exfiltrated 154 GB of data, which includes over 453,000 individual files, and issued a ransom demand of $100,000.

The severity of this incident is classified as high due to the volume of sensitive personal information potentially compromised. The breach involves data from individuals seeking employment, which often includes sensitive identifiers and contact information. Stats SA has stated it will not comply with the ransom demand and has reported the matter to the Information Regulator. This incident reflects a broader trend of ransomware targeting government infrastructure. Such breaches typically lead to risks of identity theft and targeted phishing campaigns.

Who is behind the incident?

XP95 is a recently identified cybercrime group that has gained notoriety for targeting government entities. In addition to the attack on Statistics South Africa, the group has also reportedly targeted the Gauteng Provincial Government. XP95 utilizes ransomware to encrypt data and exfiltrate sensitive files, subsequently demanding payment to prevent public disclosure. The group set a deadline of April 20, 2026, for the ransom payment from Stats SA. While they are a newer actor in the threat landscape, their focus on high-profile public sector targets suggests a sophisticated approach to data extortion and pressure tactics.

Impact and risks for Statistics South Africa customers

The primary impact of this breach falls on individuals who used the Statistics South Africa online portal to apply for jobs. With over 453,000 files potentially exfiltrated, affected users may face increased risks of identity theft, financial fraud, and targeted phishing attacks. If the stolen HR database contains names, contact details, and employment histories, malicious actors could use this information to craft convincing social engineering schemes. There is also a risk that the leaked data could be sold on dark web forums if the ransom is not paid.

In response to such incidents, affected individuals should monitor their accounts for suspicious activity and be wary of unsolicited communications. Implementing multi-factor authentication and updating passwords for online portals are essential protective measures. Statistics South Africa's refusal to pay the ransom is a standard security recommendation to discourage further criminal activity, although it increases the likelihood of data release. Transparency during the investigation remains crucial for public trust.

How to protect against similar security incidents

Following the ransomware attack on Statistics South Africa's HR database, job seekers and applicants should take immediate steps to secure their personal information.

  • Monitor for phishing and social engineering. Be highly suspicious of emails, calls, or messages claiming to be from Stats SA or recruitment agencies. Avoid clicking links or downloading attachments from unknown sources, as attackers may use leaked HR data to personalize scams.
  • Secure online accounts and credentials. Change passwords for any accounts that used the same credentials as the Stats SA job portal. Enable phishing-resistant multi-factor authentication (MFA) on all sensitive personal and financial accounts to prevent unauthorized access.
  • Implement identity theft protection. Consider placing a fraud alert or security freeze on credit reports if sensitive personal identifiers were part of the application process. Regularly review bank statements and credit reports for any unrecognized activity or new accounts opened in your name.
  • Strengthen organizational attack surface management. For organizations, ensure all internet-facing databases are properly secured and monitored for unauthorized access. Deploy continuous security monitoring to detect and respond to ransomware activities before data exfiltration can occur.

Staying informed through official government updates is the best way to manage risks following this incident.

Frequently asked questions

What happened in the Statistics South Africa security breach?

XP95 claimed responsibility for a security attack on Statistics South Africa (statssa.gov.za) in March 2026. The incident was first reported on March 29, 2026.

When did the Statistics South Africa breach occur?

The Statistics South Africa breach was publicly reported on March 29, 2026. XP95 referenced the incident around that time, but the attack may have occurred earlier.

What data was exposed?

The types of data involved in the Statistics South Africa incident include files from an HR database used by job seekers. XP95 claims to have stolen 154 GB of data, comprising over 453,000 files.

Is my personal information at risk?

If you interacted with Statistics South Africa, there's a possibility your personal information could be affected. Similar incidents often involve email addresses, login details, or financial records. Stay alert for updates and take precautionary measures to secure your accounts.

What steps should companies take after being breached?

Statistics South Africa is working to secure systems, notify affected parties, and provide guidance on protective actions. They have reported the incident to the Information Regulator and are reviewing security measures while deploying attack surface management.

Sources

Statistics South Africa Investigating Ransomware Attack

This cybersecurity news article is powered by UpGuard Breach Risk — continuous attack surface monitoring for your organisation and supply chain.

How secure is ?

  • Check icon
    View our free preliminary report on ’s security posture
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
View 's score
View score
Security ratings
Deliver icon

Sign up for our newsletter

UpGuard's monthly newsletter cuts through the noise and brings you what matters most: our breaking research, in-depth analysis of emerging threats, and actionable strategic insights.

Latest news

Stay up-to-date with the latest news in cybersecurity.
Qilin Ransomware claims Rocky Mountain Care data breach

Qilin Ransomware claims Rocky Mountain Care data breach

A data breach involving Rocky Mountain Care was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 29, 2026
Shwapno data breach: what happened and what's at risk

Shwapno data breach: what happened and what's at risk

A data breach involving Shwapno was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 27, 2026
CCHC Healthcare data breach: what happened and what's at risk

CCHC Healthcare data breach: what happened and what's at risk

A data breach involving CCHC Healthcare was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 27, 2026
Advantage Gold data breach exposes names and Social Security numbers

Advantage Gold data breach exposes names and Social Security numbers

A data breach involving Advantage Gold was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 27, 2026
Brock Built data breach: sensitive personal and financial information compromised

Brock Built data breach: sensitive personal and financial information compromised

A data breach involving Brock Built was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 27, 2026
CareCloud data breach: what happened and what's at risk

CareCloud data breach: what happened and what's at risk

A data breach involving CareCloud was reported in March 2026. See incident details, impact on customers, and recommended security measures.
UpGuard Team
UpGuard Team
March 28, 2026
View all news
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.
Contact sales
Free demo
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Free score
Website Security scan resultsWebsite Security scan rating