South Africa's national statistics agency, Stats SA, has confirmed a data breach targeting its HR job application system — the second South African government entity hit by the emergent XP95 cyber-extortion group within weeks. Hackers claim 453,362 files totalling 154 GB were stolen, with a $100,000 (R1.7M) ransom demanded and a hard deadline of April 20, 2026 before public release.

What Happened

Stats SA confirmed the breach affects its human resources database — specifically the public-facing portal used by job seekers to apply online. The agency stated that its core statistical systems and national data infrastructure were not compromised.

XP95 set a ransom deadline of April 20, 2026, threatening to leak the full archive publicly if payment is not received. Stats SA has notified South Africa's Information Regulator and stated it is part of a "wider government response" to the ongoing cybersecurity incidents affecting public sector entities.

This attack follows XP95's breach of the Gauteng Provincial Government earlier in March 2026, where 3,673,556 files totalling 3.8 TB were exfiltrated and listed for sale at $25,000. The pattern indicates a deliberate campaign targeting South African government infrastructure.

What Was Taken

• 453,362 files totalling 154 GB from an unspecified Stats SA server
• Data originates from the HR/recruitment system — likely containing: applicant personal information (names, ID numbers, contact details, employment history), submitted CVs and supporting documents, and potentially internal HR administrative records
• The Gauteng precedent suggests XP95 exfiltrates broadly before scoping ransom demands — full scope of Stats SA data may exceed what has been disclosed

Why It Matters

XP95 is a new actor but moving fast. First appearing in March 2026, the group has already hit two South African government entities in under a month. Their interface mimics legacy Windows XP/95 aesthetics — a deliberate branding choice that signals a technically capable group comfortable drawing attention.

For defenders, the significance here is pattern recognition: XP95 is specifically targeting African public sector HR and administrative systems, which frequently sit on aging infrastructure with weaker segmentation than core operational systems. The Gauteng and Stats SA breaches together suggest XP95 either has access to a persistent foothold in the South African government network perimeter, or is exploiting a common vulnerability across multiple agencies.

The April 20 deadline creates a decision window for South African authorities. If Stats SA pays, it validates XP95's model and invites further attacks. If they don't, 154 GB of citizen applicant data — including ID numbers and personal details — goes public.

The Attack Technique

The attack vector has not been publicly confirmed. Based on the available information:

• Target system: Public-facing HR job application portal — internet-exposed by design, likely with a larger attack surface than internal systems
• Precedent: The Gauteng breach involved similar exfiltration volume and data type, suggesting a consistent intrusion methodology across targets
• XP95's emergence timeline: First observed March 2026, indicating either a new group or a rebrand of an existing actor with established tooling

The group's ability to exfiltrate 154 GB undetected points to either a prolonged dwell time or an unmonitored external-facing system with inadequate egress controls.

What Organizations Should Do

1. Audit all public-facing HR and recruitment portals — these systems collect sensitive PII at scale and are frequently under-resourced for security relative to their exposure. Review authentication, patching status, and egress monitoring immediately.

2. Segment HR/recruitment systems from core infrastructure — if an attacker compromises the job portal, lateral movement to payroll, personnel records, or operational systems should be blocked at the network layer.

3. Deploy egress monitoring and DLP controls — 154 GB leaving a system unnoticed is a detection failure. Baseline normal outbound data volumes and alert on anomalies exceeding thresholds.

4. Review South African government threat landscape — organizations with any footprint in SA public sector supply chains or shared infrastructure should assess exposure to XP95's current campaign.

5. Do not rely on "non-core" framing as a risk mitigator — Stats SA's statement that "internal systems" were safe may be technically accurate but misses the point: 154 GB of citizen applicant PII is still a significant breach with real regulatory and reputational consequences.

6. Engage the Information Regulator proactively — South Africa's POPIA obligations require prompt notification. Organizations operating under similar regulatory frameworks should review their breach response playbooks now, before an incident.

Sources

• Stats SA hit by cyberattack, hackers demand ransom over stolen data