The deadline arrives today. Cybercrime group XP95 set 20 April as the date it would release 154 gigabytes of stolen Statistics South Africa data unless the agency paid a $100,000 ransom. Stats SA has not paid.
Why it matters: If XP95 follows through, personal information from thousands of job seekers who applied through Stats SA’s HR portal will be publicly available. It would rank among the largest government data exposures in South African history.
The standoff
Stats SA disclosed the breach in late March after XP95 claimed it had exfiltrated 453,362 files from the agency’s human resources server. The hackers demanded R1.7 million and set a three-week deadline.
The agency said it would not pay, citing compliance requirements under the Public Finance Management Act. It notified the Information Regulator and said it would follow prescribed regulatory processes.
A pattern
XP95 is a relatively new group that emerged in March 2026 with a dark web interface mimicking legacy Microsoft Windows operating systems. Before targeting Stats SA, the group claimed a separate breach of the Gauteng Provincial Government, alleging it had obtained 3.8 terabytes of data containing 3.6 million files.
The Public Servants Association has called for an urgent overhaul of government cybersecurity infrastructure, warning that ageing systems across multiple departments remain exposed.
What happens next
If the data is released, affected job seekers will need to monitor their personal information for identity theft and fraud. The Information Regulator can compel Stats SA to notify all affected individuals directly.
If XP95 does not follow through, cybersecurity analysts say the group may attempt to sell the data privately rather than release it freely, a common pattern among ransomware operators.