Stats SA has confirmed that a group of hackers has accessed its information, but states it will not give in to its ransom demands.
A hacker group called XP95 claimed on Telegram that it accessed private and personal information from Stats SA. It claims to have 154GB of information from the government organisation and is demanding $100 000 (R1.7 million) in ransom.
XP95 is an emerging and previously relatively obscure hacker group that has begun attracting attention in cyber security circles for its alleged involvement in targeted cyber attacks, data breaches and digital espionage campaigns.
Stats SA plays a central role in producing reliable, official data that informs decision-making across government, business and society. As the country’s national statistical authority, it is responsible for collecting, analysing and publishing data on key areas, such as population demographics, employment, inflation, economic performance and living conditions.
Ransomware attacks are escalating globally and in South Africa, reflecting a sharp rise in the frequency and sophistication of cyber crime.
ITWEB SECURITY SUMMIT 2026:
To learn about defending organisations against today’s evolving cyber threats, register for ITWeb Security Summit Cape Town 2026 or ITWeb Security Summit 2026 in Johannesburg, where global and local experts will unpack the latest security trends and solutions.
In a statement yesterday, Stats SA said it is aware of a cyber security breach affecting one human resources (HR) database.
“The system that was breached is exclusively the HR system available for job-seekers to apply online,” says the organisation.
“The national statistics office is part of a wider government response to matters dealing with cyber security breaches. Stats SA will not pay any ransom. Deployment of state financial resources is done in line with PFMA [Public Finance Management Act]. Stats SA will notify the Information Regulator and will be guided by their processes.”
XP95 is also claiming responsibility for accessing private and personal information from the Gauteng City Region Academy, alleging it has obtained 147GB of data. It is demanding a $100 000 (R1.7 million) ransom.
The Gauteng City Region Academy is a Gauteng provincial government entity focused on developing skills and expanding access to education and training opportunities for young people in the province.
It is best known for administering bursaries, internships and learnership programmes that support students from disadvantaged backgrounds to pursue higher education and vocational training.
The academy had not responded to ITWeb’s questions by the time of publication.
Doreen Mokoena, founder and CEO of Cybersec Clinique, a South African cyber security firm, says two breaches in rapid succession often point to deep technical debt in legacy systems, especially when public portals still expose outdated infrastructure or unpatched services.
“In modern threat environments, organisations must assume compromise and adopt continuous monitoring, identity-centric security and incident response readiness. Without those controls, attackers frequently return to the same environment multiple times before being detected,” says Mokoena.
She adds that when attackers return two weeks after a breach and exfiltrate more data, it usually means the initial incident response focused on restoring systems rather than removing the attacker.
“Persistent access, stolen credentials and poor log visibility allow threat actors to walk back in,” she notes.
The cyber attacks come as South African organisations are increasingly getting targeted by cyber criminals.
Last week, insurance and financial services firm Liberty disclosed a data breach, which exposed the personal information of its customers.
Share
