What Business Owners Need to Know This Week
The threat level remains at HIGH for the second consecutive week. This week brings a critical development that affects any business using Cisco network security infrastructure: Interlock ransomware has been silently exploiting a maximum-severity vulnerability in Cisco Firepower Management Centre since 26 January 2026 — over five weeks before it was publicly disclosed. Meanwhile, the insurance sector took a direct hit, POPIA enforcement moved from warnings to real fines, and SA banking fraud nearly doubled year-on-year.
The Bottom Line: JSE-listed companies now risk a 30% drop in share value following a cyberattack. SA organisations are breached every 3 hours, and 90% of breaches are considered preventable. The Gauteng Government’s 3.8 TB breach was traced back to a single unpatched scanner server — a lesson every business must take seriously.
The Week in Numbers
- 2,145 cyberattacks per week targeting SA organisations (Jan 2026) — a 36% YoY increase.
- 94 total SA ransomware victims tracked in 2026, with 3 new this week.
- 3,651 banking fraud cases closed by the National Financial Ombud in 2025 — nearly double the prior year.
- R49M (avg) — the average cost of a data breach for a South African organisation.
- R22M lost in a single WhatsApp BEC attack impersonating a CFO this week.
- 9 new CISA Known Exploited Vulnerabilities added, including 2 CVSS 10.0 flaws actively exploited in the wild.
- 70% of Gauteng’s network devices confirmed end-of-service — the root cause of the 3.8 TB breach.
Major Incidents: Who Was Hit and How
Gauteng Government Breach — Root Cause Confirmed
Daily Maverick analysis confirmed this week that the 3.8 TB XP95 data theft originated from a single unpatched internet-facing scanner server — not human error. A DA parliamentary review revealed that 70% of Gauteng’s network devices (over 1,734 units) had reached end-of-service, with core infrastructure end-of-life since December 2024. The breach was entirely preventable. For business owners, the message is stark: running end-of-life hardware or software anywhere on your network is an open door. The 3.8 TB dataset — including ID documents, passports, and CVs — remains for sale on the dark web for $25,000.
The Unlimited — DragonForce Ransomware
DragonForce listed The Unlimited (theunlimited.co.za) — a provider of health, auto, legal, and life insurance products — on its dark web leak site on 20 March 2026. This is the same group that attacked the National Credit Regulator in December 2025. The Unlimited has not made a public statement, and the full extent of data exposure is not yet known. This attack is particularly concerning because insurance companies are now subject to both the new POPIA Health Data Regulations (in force since 6 March) and the FSCA Joint Standard — meaning a ransomware hit simultaneously triggers regulatory liability across multiple frameworks.
Semenya Furumele Consulting Engineers — Nightspire
Nightspire listed Semenya Furumele Consulting Engineers (sfce.co.za) on 22 March 2026, with an estimated attack date of 16 March. Nightspire has previously targeted the Eastern Cape Department of Human Settlements and the Ingonyama Trust Board. The pre-negotiation data posting suggests an active extortion demand is in progress. Engineering firms hold sensitive project plans, client contracts, and government tender data — all high-value targets for ransomware groups.
SA Ransomware: Q1 2026 Victim Tracker
South Africa now has 94 confirmed ransomware victims in 2026, with TheGentlemen leading as the most active group targeting local organisations (5 SA victims in Q1). A notable development this week is the re-listing of Elundini Local Municipality by TheGentlemen — originally attacked in October 2025 — suggesting data is being re-sold or shared across criminal affiliates.
| Date | Organisation | Sector | Group |
|---|---|---|---|
| 24 Dec 2025 | National Credit Regulator | Financial Regulation | DragonForce |
| 6 Jan | Hytec SA | Engineering | Vect |
| 12 Jan | Land Bank | Financial Services | Unknown RaaS |
| 20 Jan | Witzenberg Municipality | Government | TheGentlemen |
| 20 Jan | Rola Motor Group | Automotive | TheGentlemen |
| 15 Feb | Intsika Yethu Municipality | Government | TheGentlemen |
| 24 Feb | EnerTec | Manufacturing | Vect |
| 1 Mar | Diesel-Electric / Bosch SA | Automotive | LockBit 5 |
| 5 Mar | RE/MAX Southern Africa | Real Estate | Team Cyber Strike |
| 20 Mar | The Unlimited | Insurance | DragonForce |
| 21 Mar | Elundini Municipality (re-list) | Government | TheGentlemen |
| 22 Mar | Semenya Furumele Engineers | Engineering | Nightspire |
Fraud Hitting Your Business & Your Customers
Standard Bank AI Voice Spoofing
An active AI-enhanced spoofing campaign targeted Standard Bank customers this week. Fraudsters call victims using spoofed caller IDs and AI-generated voices, posing as bank employees offering account upgrades. Victims are tricked into entering codes that grant the attacker full account access — one victim lost over R600,000. Standard Bank has deployed “Trusted Person” and “Trust Call” counter-measures, but the burden of awareness still falls on businesses and individuals. Brief your team: your bank will never ask you to enter a code to verify your identity over the phone.
R22M WhatsApp BEC Attack
A South African company lost R22 million to a WhatsApp-based Business Email Compromise (BEC) attack in which the attacker replicated the CFO’s communication style so convincingly that payment was authorised without question. BEC has evolved beyond email: messaging apps now account for 32% of BEC attack channels, and SMS a further 66%. Any payment instruction received via WhatsApp, SMS, or email should be verified via a direct phone call to the known contact before funds are transferred.
NFC Card-Relay Scam
ESET flagged a card-relay attack particularly prevalent in South Africa. A fraudster calls posing as a bank representative, sends a link to install a rogue app, which then silently reads the victim’s physical card NFC chip in real time — allowing the attacker to make ATM and POS transactions while the victim believes they are completing a bank verification. Warn your staff and customers: no legitimate bank app requires NFC access to “verify” your card.
POPIA: The “Education First” Era Is Over
Three formal POPIA enforcement actions were confirmed this week — signalling a clear shift from the Regulator’s historically lenient posture to active enforcement:
- Blouberg Municipality: R500,000 fine for unlawful publication of financial disclosures; court proceedings initiated.
- Lancet Laboratories: R200,000 fine for failing to notify data subjects of a security breach (Section 22 POPIA). Fine paid.
- FT RAMS Consulting: R200,000 fine for unlawful direct marketing. Court proceedings initiated.
The Information Regulator is also issuing formal POPIA Monitoring Exercise notices to selected organisations under Section 40, requiring comprehensive compliance reports within 14 business days. These reports must cover your lawful processing conditions, privacy policy, risk register, incident response plan, PAIA manual, training records, and security compromise log. Post-submission physical inspections are possible. If you receive one of these notices, respond immediately — failure escalates to Chapter 10 enforcement with fines up to R10 million.
Compliance Deadlines at a Glance:
• Immediate — POPIA health data processing safeguards (in force 6 March 2026, no grace period)
• 14 business days — Respond if you receive a POPIA Monitoring Exercise notice
• Active / Past Due — SARB NPS cybersecurity compliance (24-hr incident reporting, quarterly resilience testing)
• 2026 enforcement — FSCA Joint Standard 2/2024: board-approved cyber strategy, annual pen testing, MFA
Full Intelligence Report
The complete Week 13 technical report below includes threat hunt missions for Interlock ransomware and DragonForce indicators, the full IOC table for SIEM/EDR ingestion, vulnerability matrix, OSINT exposure analysis, and the complete regulatory compliance matrix.
What Your Business Should Do Right Now
Immediate actions (this week):
- Patch Cisco FMC immediately: CVE-2026-20131 (CVSS 10.0) has been actively exploited by Interlock ransomware since 26 January. If you haven’t patched, treat your FMC as potentially compromised and investigate.
- Update Google Chrome: Patch to version 146.0.7680.80 or later — the prior patch was found incomplete and re-issued on 16 March.
- Brief staff on AI voice scams: The Standard Bank spoofing campaign is active. No bank will ask staff to enter codes over the phone. Verify all unexpected “bank” calls by hanging up and calling back on the official number.
- Introduce a payment verification rule: Any payment instruction via WhatsApp, SMS, or email must be confirmed by a direct voice call to the known contact before processing — regardless of amount.
- Check for a POPIA Monitoring Exercise notice: If you have received one, begin documentation assembly immediately. The 14-business-day deadline is firm.
- Block DragonForce IOCs: If you operate in insurance, financial regulation, or municipal services, add IP 45.135.232.195 to your blocklist and scan for DragonForce indicators.
Short-term priorities (this quarter):