What Business Owners Need to Know This Week
This week's threat level has been escalated to HIGH — the most serious rating in our scale. Three headline events are driving this: a massive 3.8 TB data theft from the Gauteng Provincial Government, confirmed Chinese state-sponsored espionage targeting South African telecoms, and a new wave of ransomware hitting local businesses across multiple sectors. If your business handles customer data, processes payments, or relies on digital infrastructure, this week's intelligence is directly relevant to you.
The Bottom Line: A South African business is now breached every 3 hours — up from every 5 hours last year. Cyberattacks targeting SA organisations have increased 22% year-on-year, and the average cost of recovering from a ransomware attack has risen to R24 million. This is not a distant IT problem — it is a direct business risk.
The Week in Numbers
- 2,204 cyberattacks per week targeting South African organisations (Check Point Research, Feb 2026) — a 22% YoY increase, the steepest of any African nation.
- 2,898 POPIA breach notifications filed year-to-date — up 53% on the same period last year.
- 91 SA ransomware victims tracked in 2026, with 3 new victims confirmed this week.
- R24 million average ransomware recovery cost, up 41% from R17M in 2024.
- 98,000 digital banking fraud incidents in 2024 — up 88% from 52,000 in 2023.
- 60% surge in SA data breaches YoY; South Africa is the most targeted economy on the African continent.
Major Incidents: Who Was Hit and How
Gauteng Provincial Government — 3.8 TB Stolen
Threat actor XP95 exfiltrated 3,673,556 files (3.8 TB) from Gauteng provincial systems — including healthcare records, education data, housing title deeds, and employment records of millions of citizens. The dataset is currently for sale on the dark web for $25,000 (approx. R460,000). Premier Panyaza Lesufi confirmed the investigation on 14 March 2026. This breach has real consequences for any South African who has interacted with Gauteng government services: their ID numbers, SARS eFiling credentials, and personal details may now be in criminal hands, fuelling identity theft and financial fraud targeting individuals and businesses alike.
RE/MAX Southern Africa — 291 GB Client Database Stolen
On 5 March 2026, Team Cyber Strike breached RE/MAX via a brute-force and SQL injection attack on their public-facing website, gaining access to AWS infrastructure and exfiltrating a full 291 GB database backup. The stolen data includes client ID numbers, email addresses, phone numbers, physical addresses, OTPs, and commission records. RE/MAX refused to pay the ransom, restored from backups, and filed a POPIA Section 22 notification. This attack is a textbook example of how a single unpatched or misconfigured web application can lead to catastrophic data exposure.
Land Bank — Ransomware Disclosed to Parliament
Finance Minister Enoch Godongwana disclosed to Parliament that the Land Bank suffered a ransomware attack on 12 January 2026, with attackers demanding 5 BTC (R5.67M). The ransom was not paid. Attackers exploited a vulnerability on an internet-facing server, encrypting non-SAP servers and exfiltrating board, governance, and HR documents. The Land Bank was required to notify SAPS, the Information Regulator, the Prudential Authority, and the State Security Agency — illustrating the complex multi-regulator reporting burden facing regulated financial entities.
SA Ransomware: Q1 2026 Victim Tracker
South Africa has recorded 11 confirmed ransomware victims in Q1 2026 alone, spanning engineering, finance, government, automotive, logistics, insurance, and real estate. The dominant groups are The Gentlemen (4 SA victims, targeting municipalities and motor groups), Vect, and a newly-formed cartel linking LockBit 5, Qilin, and DragonForce.
| Date | Organisation | Sector | Group |
|---|---|---|---|
| 6 Jan | Hytec SA | Engineering | Vect |
| 12 Jan | Land Bank | Financial Services | Unknown RaaS |
| 20 Jan | Witzenberg Municipality | Government | The Gentlemen |
| 20 Jan | Rola Motor Group | Automotive | The Gentlemen |
| 20 Jan | Paltrack | Logistics | The Gentlemen |
| 15 Feb | Intsika Yethu Municipality | Government | The Gentlemen |
| 24 Feb | EnerTec | Manufacturing | Vect |
| 1 Mar | Diesel-Electric Group | Automotive | LockBit 5 |
| 6 Mar | Lion of Africa Insurance | Insurance | Lynx |
| 9 Mar | Gauteng Provincial Govt | Government | XP95 (data theft) |
| 12 Mar | RE/MAX Southern Africa | Real Estate | Team Cyber Strike |
Fraud Hitting Your Business & Your Customers
An active card fraud campaign using the “FACEBK” merchant descriptor is draining accounts at FNB, Standard Bank, Absa, Nedbank, and Capitec. Stolen card details are used to purchase Facebook advertising credits, bypassing 3D Secure protections. Reported transactions range from R941 to R9,262 per hit. If your business monitors corporate card expenditure, flag any “FACEBK” transactions immediately.
Business Email Compromise (BEC) attacks increased 15% globally in 2025, with $2.7 billion in reported losses. South African organisations are especially exposed — identity-related weaknesses are found in approximately 90% of all investigated SA breaches. AI-generated deepfake scams surged 1,200% in South Africa, including a notable deepfake video impersonating SARB Governor Letsetja Kganyago. Educate your team to verify payment instructions and executive requests through a second independent channel.
POPIA Update: New Health Data Rules, No Grace Period
As of 6 March 2026, new POPIA health information processing regulations (Government Gazette No. 54268) are in force — with no grace period. Eight categories of organisations are now in scope: insurance companies, medical schemes, medical scheme administrators, managed healthcare organisations, administrative bodies, pension funds, employers, and institutions acting on their behalf. Failure to comply carries a maximum administrative fine of R10,000,000.
The Information Regulator disclosed it has received 2,898 security compromise notifications year-to-date — a 15x increase from 202 in 2021/22. Critically, only 14% of CIPC-active companies (~69,040 of ~490,000) have registered an Information Officer. If your business has not yet registered an Information Officer or reviewed your POPIA obligations, this is an urgent compliance gap.
Compliance Deadlines at a Glance:
• Immediate — POPIA health data processing safeguards (in force 6 March 2026)
• Active / Past Due — SARB NPS cybersecurity compliance (24-hr incident reporting, quarterly resilience testing)
• From June 2025 — FSCA/PA Joint Standard: board-approved cyber strategy, annual pen testing, MFA, 24-hr incident reporting
Full Intelligence Report
The complete Week 12 technical report below includes deep dives into ransomware TTPs, IOC tables for SIEM ingestion, threat hunt missions, OSINT exposure analysis, and the full regulatory compliance matrix.
What Your Business Should Do Right Now
Immediate actions (this week):
- Update all browsers: Force-update Google Chrome to 146.0.7680.75+ across every device. Two zero-days are actively exploited in the wild.
- Apply Microsoft patches: Deploy all March 2026 Patch Tuesday updates — 94 vulnerabilities, multiple critical RCE flaws.
- Patch network security devices: If you use Cisco FMC, FortiGate, or VMware Aria Operations, treat patching as an emergency.
- POPIA health data compliance: If your business handles any health information (employees, clients, insurance) — conduct an immediate review. R10M penalty, no grace period.
- Flag “FACEBK” card transactions: Alert your finance team to monitor for the FACEBK merchant descriptor in corporate card statements.
- Brief your team on BEC & deepfakes: AI-generated executive impersonation and voice deepfakes are surging. Verify any unusual payment requests via a second independent channel.