Stats SA Hit by Ransomware Attack: Hackers Claim Theft of 450,000 Files
South Africa’s national statistics agency, Statistics South Africa (Stats SA), has been targeted in a ransomware attack by the cybercrime group XP95, which claims to have stolen over 450,000 files totaling 154 GB of data. The breach, confirmed by Stats SA, marks the second major government-related cyber incident in South Africa this month, raising concerns about the security of sensitive public sector data.
XP95, a relatively new ransomware and extortion group first identified in March 2026, has demanded a $100,000 (R1.7 million) ransom to prevent the public release of the stolen information. The group previously breached the Gauteng Provincial Government, stealing 3.8 terabytes of personal data from millions of residents. Unlike traditional ransomware attacks that focus on encryption, XP95 employs a "double extortion" tactic, threatening to leak or sell data if payment is not made.
Stats SA, responsible for critical national data including census records, economic indicators, and household surveys has not disclosed the full extent of the compromised information. Authorities are investigating whether personal details, such as names, addresses, or identification numbers, were exposed. Even anonymized data can pose risks if re-identified through cross-referencing with other sources.
The attack could undermine public trust in government data collection, particularly ahead of South Africa’s next population census. A successful data leak may deter citizens from participating in future surveys, impacting the reliability of official statistics used for policy-making, budget decisions, and research.
South Africa has seen a rise in cyberattacks targeting government institutions, state-owned enterprises, and healthcare providers. Public sector organizations are prime targets due to the vast amounts of personal data they hold, which can be exploited for fraud or sold on the dark web. XP95’s tactics reflect a broader trend of cybercriminals leveraging data theft alongside encryption to maximize pressure on victims.
Stats SA has activated its incident response team and is collaborating with cybersecurity experts and law enforcement to contain the breach and investigate the attack vector. The agency has not indicated whether it will pay the ransom, though cybersecurity best practices advise against it, as payment does not guarantee data protection.
The incident underscores the need for strengthened cybersecurity measures across South Africa’s public sector, including network segmentation, regular security audits, employee training, and robust backup systems. As the investigation continues, the focus remains on securing systems and preventing further exposure of sensitive data.
Stats SA cybersecurity rating report: https://www.rankiteo.com/company/stats-sa
"id": "STA1774866616",
"linkid": "stats-sa",
"type": "Ransomware",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Potentially all South African '
'citizens (if personal data was '
'exposed)',
'industry': 'Statistics and data collection',
'location': 'South Africa',
'name': 'Statistics South Africa (Stats SA)',
'type': 'Government agency'}],
'data_breach': {'data_exfiltration': 'Yes (154 GB stolen)',
'number_of_records_exposed': '450,000 files',
'personally_identifiable_information': 'Possible (names, '
'addresses, '
'identification '
'numbers)',
'sensitivity_of_data': 'High (potential personal details, '
'anonymized data at risk of '
're-identification)',
'type_of_data_compromised': 'National statistics data (census '
'records, economic indicators, '
'household surveys)'},
'description': 'South Africa’s national statistics agency, Statistics South '
'Africa (Stats SA), has been targeted in a ransomware attack '
'by the cybercrime group XP95, which claims to have stolen '
'over 450,000 files totaling 154 GB of data. The breach, '
'confirmed by Stats SA, marks the second major '
'government-related cyber incident in South Africa this month, '
'raising concerns about the security of sensitive public '
'sector data.',
'impact': {'brand_reputation_impact': 'Undermined public trust in Stats SA',
'data_compromised': '450,000 files (154 GB)',
'identity_theft_risk': 'Possible if personal details were exposed',
'operational_impact': 'Potential undermining of public trust in '
'government data collection'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (extortion)',
'ransomware': {'data_exfiltration': 'Yes (double extortion tactic)',
'ransom_demanded': '$100,000 (R1.7 million)',
'ransomware_strain': 'XP95'},
'recommendations': 'Strengthened cybersecurity measures (network '
'segmentation, regular security audits, employee training, '
'robust backup systems)',
'references': [{'source': 'Cyber incident report'}],
'response': {'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'third_party_assistance': 'Cybersecurity experts'},
'threat_actor': 'XP95',
'title': 'Stats SA Hit by Ransomware Attack: Hackers Claim Theft of 450,000 '
'Files',
'type': 'Ransomware'}