Gauteng Provincial Government Hit by Massive Ransomware Breach Exposing 3.8TB of Citizen Data
A newly emerged ransomware group, XP95, has leaked 3.8 terabytes of sensitive data stolen from the Gauteng Provincial Government, exposing millions of personal records. The breach, confirmed by threat intelligence firm Darknotify, includes 3,673,556 files among them high-resolution ID documents, passports, and CVs likely belonging to job seekers who submitted applications to the province.
The attackers, operating under a Ransomware-as-a-Service (RaaS) model, have demanded $25,000 (R417,300) for the return of the data. To validate their claim, they released a 1.8GB sample of the stolen files on the dark web. Gauteng Premier Panyaza Lesufi acknowledged the breach, stating that internal security protocols had been activated, while spokesperson Elijah Mhlanga urged against speculation.
Forensic analysis by Darknotify revealed the breach likely originated from an unsecured, internet-facing scanner server a critical oversight that bypassed the need for phishing or social engineering. The incident underscores a deeper systemic failure: 70% of Gauteng’s network devices (1,734 units) had reached end-of-service (EOS), and its core infrastructure hit end-of-life in December 2024, leaving it vulnerable for over a year.
South Africa faces an average of 2,145 cyberattacks per week, making such breaches statistically inevitable. However, the root cause extends beyond technical neglect. Bureaucratic inefficiency, particularly reliance on the State Information Technology Agency (Sita) for IT procurement, has left departments trapped with outdated systems. Meanwhile, the Gauteng government has prioritized high-profile projects such as CCTV surveillance, drones, and a panic-button app over fortifying its digital backbone, expanding its attack surface without addressing core vulnerabilities.
The breach follows a pattern of state cybersecurity failures in South Africa, including attacks on City Power, the Department of Justice, and the National Health Laboratory Service. While Gauteng’s exposure of citizen data is severe, the compromised server was isolated not tied to critical infrastructure like treasury systems or power grids. Experts warn that without urgent upgrades, a more targeted attack could have far graver consequences.
The incident reveals a perfect storm of neglect: obsolete hardware, misallocated budgets, and a severe shortage of cybersecurity talent, with only one in three public sector cybersecurity roles filled. Gauteng’s breach may have been a near-miss, but the underlying weaknesses remain unaddressed.
Gauteng Provincial Government cybersecurity rating report: https://www.rankiteo.com/company/gauteng-provincial-government
"id": "GAU1773786805",
"linkid": "gauteng-provincial-government",
"type": "Ransomware",
"date": "12/2024",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Millions of citizens (job '
'seekers, general public)',
'industry': 'Public Sector',
'location': 'Gauteng, South Africa',
'name': 'Gauteng Provincial Government',
'type': 'Government'}],
'attack_vector': 'Unsecured internet-facing scanner server',
'data_breach': {'data_exfiltration': 'Yes (3.8TB leaked, 1.8GB sample '
'released on dark web)',
'file_types_exposed': ['High-resolution images',
'PDFs',
'Documents'],
'number_of_records_exposed': '3,673,556 files',
'personally_identifiable_information': 'Yes (ID documents, '
'passports, CVs)',
'sensitivity_of_data': 'High (personally identifiable '
'information, government-related data)',
'type_of_data_compromised': ['ID documents',
'Passports',
'CVs']},
'description': 'A newly emerged ransomware group, XP95, has leaked 3.8 '
'terabytes of sensitive data stolen from the Gauteng '
'Provincial Government, exposing millions of personal records. '
'The breach includes 3,673,556 files such as high-resolution '
'ID documents, passports, and CVs likely belonging to job '
'seekers. The attackers demanded $25,000 (R417,300) for the '
'return of the data and released a 1.8GB sample on the dark '
'web. The breach originated from an unsecured, internet-facing '
'scanner server, highlighting systemic failures in '
'cybersecurity infrastructure.',
'impact': {'brand_reputation_impact': 'Severe (exposure of citizen data, '
'public acknowledgment of breach)',
'data_compromised': '3.8TB (3,673,556 files)',
'identity_theft_risk': 'High (exposure of ID documents, passports, '
'and CVs)',
'operational_impact': 'Internal security protocols activated, '
'potential disruption to government services',
'systems_affected': 'Unsecured scanner server, Gauteng Provincial '
'Government network'},
'initial_access_broker': {'data_sold_on_dark_web': 'Partial (1.8GB sample '
'released)',
'entry_point': 'Unsecured internet-facing scanner '
'server'},
'investigation_status': 'Ongoing (forensic analysis by Darknotify)',
'lessons_learned': 'The breach highlights systemic failures in cybersecurity '
'infrastructure, including reliance on end-of-life '
'hardware, misallocated budgets, and a severe shortage of '
'cybersecurity talent in the public sector. The incident '
'underscores the need for urgent upgrades to prevent more '
'targeted attacks on critical infrastructure.',
'motivation': 'Financial gain (ransom demand)',
'post_incident_analysis': {'corrective_actions': ['Upgrade outdated hardware '
'and infrastructure',
'Improve IT procurement '
'processes',
'Reallocate budgets to '
'prioritize cybersecurity',
'Fill vacant cybersecurity '
'roles',
'Enhance monitoring and '
'segmentation of critical '
'systems'],
'root_causes': ['Unsecured internet-facing scanner '
'server',
'70% of network devices (1,734 '
'units) reached end-of-service '
'(EOS)',
'Core infrastructure reached '
'end-of-life in December 2024',
'Bureaucratic inefficiency in IT '
'procurement (reliance on Sita)',
'Misallocated budgets '
'(prioritization of CCTV, drones, '
'and panic-button apps over '
'cybersecurity)',
'Severe shortage of cybersecurity '
'talent in the public sector']},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': '$25,000 (R417,300)',
'ransomware_strain': 'XP95'},
'recommendations': ['Upgrade end-of-life and end-of-service network devices',
'Prioritize cybersecurity over high-profile projects',
'Address bureaucratic inefficiencies in IT procurement '
'(e.g., reliance on Sita)',
'Fill critical cybersecurity roles in the public sector',
'Implement stronger monitoring and segmentation of '
'internet-facing systems'],
'references': [{'source': 'Darknotify'}],
'response': {'communication_strategy': 'Public acknowledgment by Premier '
'Panyaza Lesufi and spokesperson '
'Elijah Mhlanga',
'incident_response_plan_activated': 'Yes (internal security '
'protocols activated)',
'third_party_assistance': 'Darknotify (threat intelligence '
'firm)'},
'threat_actor': 'XP95 (Ransomware-as-a-Service group)',
'title': 'Gauteng Provincial Government Hit by Massive Ransomware Breach '
'Exposing 3.8TB of Citizen Data',
'type': 'Ransomware',
'vulnerability_exploited': 'End-of-life and end-of-service network devices, '
'outdated infrastructure'}