On 29 March, Statistics South Africa (Statistics SA) informed That an unauthorized party has gained access to one of its human resources databases, potentially gaining access to information relating to job seekers who apply online to join the service.
local news outlets The attack was reported to have been carried out by a cyber crime group called XP95; Over 400,000 files have been potentially compromised; And a ransom of approximately R1.7 million (approximately £75,000) was demanded, failing which the files would be made public. Stats SA said it would notify the South African information regulator and “will be guided by their procedures”.
The incident comes as cyber incidents are becoming more common across South Africa. A similar incident occurred in March 2025 when South African real estate company Pam Golding Properties experienced a targeted attack on its customer relationship management system.
Such incidents are primarily addressed through a combination of common law, the Cybercrime Act 19 of 2020, and South Africa's Protection of Personal Information Act (POPIA). While the Cyber Crime Act creates offenses that have an impact on cyber crime – including cyber extortion – and regulates powers to investigate cyber crimes, POPIA focuses on the protection of personal information and places obligations on organizations to protect personal data and notify affected data subjects of any suspected security compromise.
Under POPIA, a duty to inform data subjects of a security agreement arises when there are reasonable grounds to believe that personal information may have been accessed or acquired by an unauthorized person. This requires that notification be made to the information regulator and affected data subjects as soon as possible after the discovery of a compromise, taking into account the legitimate interests of law enforcement.
The notice may be sent to affected data subjects by post, email, or published on the responsible party's website or in the media. They must provide the data subject with a description of the potential consequences of the protection compromise, steps taken to address the compromise, sufficient information to allow the data subject to take protective measures, and recommended mitigation measures.
Unlike Article 33 of the EU General Data Protection Regulation, which requires the controller to notify a supervisory authority of a personal data breach within 72 hours, POPIA adopts a more subjective standard of notification. Instead, information regulators and affected data subjects should be given appropriate notice as soon as possible. Although more adaptable, unreasonable delays will still attract regulatory scrutiny and require an explanation for the delay.
Despite the growing threat of cyber crime in South Africa, some progress has been made on the enforcement side. Since many of the rules of POPIA came into force on 1 July 2021 and the Cyber Crime Act came into force on 1 December 2021, there has been increased enforcement. In 2023, the information regulator, notably, imposed its first administrative fine of R5 million against the Department of Justice and Constitutional Development following a cyber incident and systemic POPIA non-compliance.
In 2025, South Africa also reported its first successful cyber crime conviction under the Cyber Crimes Act. A man was sentenced to eight years in prison for illegally accessing sensitive data after carrying out a cyber attack on his former employer in direct breach of the Cyber Crime Act.
Mark Thomas, data privacy expert at Pinsent Masons, said this latest breach serves as a stark reminder for organizations and businesses to create an incident response plan that allows them to quickly detect and respond to incidents as they occur. “The way Stats SA reports incidents and cooperates with law enforcement will be closely monitored,” he said. “Beyond the immediate operational impact on Stats SA, the incident is likely to attract regulatory attention from the information regulator, with a particular focus on incident response preparedness and POPIA compliance.”
Thomas said the incident also underlines the need for public organizations to comply with South Africa's data privacy law. “POPIA compliance is mandatory and is a positive obligation that requires a proactive approach,” he said. “Just saying you will be directed by the information regulator is not enough.”
Thomas said that as cyber incidents become more frequent and enforcement becomes more visible, organizations should expect regulators to assess not only whether a breach occurred, but how effectively it was “anticipated, managed, communicated and addressed.”