What Business Owners Need to Know This Week
The threat level remains at HIGH as South Africa enters Week 14 with a second XP95 hit on government, a flagship financial breach, and nation-state exploitation of critical infrastructure. XP95 has now claimed Statistics South Africa (154 GB / 453,362 files stolen) just weeks after the Gauteng Provincial Government breach, while Liberty Group SA disclosed unauthorised access impacting up to 3.2 million customers (names and ID numbers). DragonForce’s data haul on The Unlimited has been confirmed at 316.63 GB, and F5 BIG-IP APM CVE-2025-53521 has been reclassified from a denial-of-service bug to a remote code execution flaw actively exploited by Chinese state-linked actors. At the same time, AI-powered digital banking fraud has surged 86% year-on-year to 97,975 incidents and R1.888 billion in losses.
The Bottom Line: South African organisations are now breached roughly every 3 hours, with POPIA breach notifications in FY 2025/26 already exceeding the entire previous financial year. XP95’s pure data-extortion model means backups alone no longer save you, while Liberty’s repeat breach turns financial services into a frontline POPIA enforcement test case. Government, financial, and insurance sectors face simultaneous extortion, regulatory scrutiny, and AI-enhanced fraud pressure.
The Week in Numbers
- Every 3 hours — estimated frequency of cyber breaches impacting South African organisations, with 90% deemed preventable.
- 2,145 cyberattacks per week targeting SA organisations (Jan 2026 baseline) — a 36% YoY increase from 1,577 per week.
- 2,898 POPIA breach notifications already reported in FY 2025/26, exceeding the full FY 2024/25 total of 2,374.
- 96 total SA ransomware victims recorded in 2026 (including Stats SA pending formal indexing), up from 94 at the end of Week 13.
- 154 GB / 453,362 files — volume of data stolen from Statistics South Africa by XP95, with a payment deadline of 20 April 2026.
- 3.2 million customers — potential Liberty exposure (names and ID numbers) after email systems were compromised in the latest breach.
- 316.63 GB — confirmed DragonForce leak volume for The Unlimited’s environment.
- 97,975 digital banking fraud incidents in 2024 (+86% YoY), causing R1.888 billion in losses; banking apps account for 65.3% of cases.
- R5.4 million — Land Bank’s average ransomware recovery cost, versus a R3.2 million 2025 average, a 69% increase.
Major Incidents: Who Was Hit and How
Statistics South Africa — XP95 Data Extortion
XP95 claimed Statistics South Africa (statssa.gov.za) on 29 March 2026, stealing 154 GB of data across 453,362 files and setting a ransom deadline of 20 April 2026. This is XP95’s second South African government victim in a month following the 3.8 TB Gauteng breach, using the same playbook: exploitation of unpatched, internet-facing servers for large-scale data exfiltration without encrypting systems (pure data extortion). Stats SA holds highly sensitive demographic, economic, and census datasets, making this a critical escalation of government-focused activity and significantly increasing identity theft and profiling risk for citizens.
Liberty Group SA — 3.2M-Customer Breach
Liberty Group SA (a Standard Bank subsidiary) disclosed unauthorised access to its systems between 23 and 24 March 2026, confirming exposure of customer names, ID numbers, and email data via compromised email infrastructure. Liberty has roughly 3.2 million customers across the continent; extortion was attempted but Liberty refused to pay, echoing its previous 2018 email repository breach. This incident is likely to become a flagship POPIA test case given repeat-offender status, the involvement of ID numbers, and the Regulator’s stated focus on financial services for 2026/27.
ETFSA — Incransom Ransomware
ETFSA (etfsa.co.za), a South African ETF investment platform, was listed by Incransom on 26 March 2026. The group, which operates a RaaS model, has a history of exploiting CVE-2023-3519 (Citrix NetScaler) for initial access. The leak post explicitly named the CEO and threatened data publication, indicating a classic double extortion play targeting both operational data and executive reputation.
Virgin Active SA — IDOR and Payment Manipulation
An Insecure Direct Object Reference (IDOR) vulnerability was publicly disclosed at Virgin Active SA on 24 March 2026, exposing the personal data of an estimated 631,000 members. The flaw allowed access to names, email addresses, gym branch details, and outstanding balances, and enabled payment manipulation (e.g. reducing a R1,425 amount to R1) while backend authentication tokens were exposed in plaintext. Virgin Active disabled the affected payment links and initiated a security review, but the incident underscores the risk of insecure integrations and poorly secured payment flows in customer portals.
The Unlimited — DragonForce 316.63 GB Confirmed
DragonForce’s attack on The Unlimited moved from headline to hard numbers this week, with Breachsense confirming a leak volume of 316.63 GB on 23 March 2026. The Unlimited’s portfolio spans health, auto, legal, and life insurance products, and the group still has not issued a detailed public incident statement. DragonForce is now operating as a RaaS cartel with affiliates spinning up sub-brands, meaning that if ransom negotiations fail, data could be syndicated across multiple criminal ecosystems rather than a single leak site.
Carry-Over Incidents & Government Pressure
Several major incidents from prior weeks remain active: Semenya Furumele Consulting Engineers is still in negotiations with Nightspire, whose leak site shows “data is not available now”; Elundini Local Municipality remains re-listed by TheGentlemen with full leak threatened; and the Gauteng Provincial Government breach (3.8 TB / 3,673,556 files) remains unresolved with no confirmed ransom payment. Together with the new Stats SA compromise, this means at least three government entities are under simultaneous extortion, underpinned by the same root cause: unpatched, end-of-life internet-facing infrastructure.
SA Ransomware: Q1 2026 Victim Tracker
South Africa has now recorded 96 confirmed ransomware victims in 2026 (95 indexed plus Stats SA pending), with two new additions in Week 14: ETFSA (Incransom) and Stats SA (XP95). The landscape is dominated by TheGentlemen (5+ SA victims in Q1), XP95 (two government targets in one month), and DragonForce (two SA victims since late 2025). XP95’s shift to data-only extortion (no encryption, pure exfiltration) highlights that traditional backup-centric ransomware strategies are no longer sufficient without strong DLP, outbound traffic monitoring, and identity controls.
| Date | Organisation | Sector | Group |
|---|---|---|---|
| 24 Dec 2025 | National Credit Regulator | Financial Regulation | DragonForce |
| 6 Jan | Hytec SA | Engineering | Vect |
| 12 Jan | Land Bank | Financial Services | Unknown RaaS |
| 20 Jan | Witzenberg Municipality | Government | TheGentlemen |
| 20 Jan | Rola Motor Group | Automotive | TheGentlemen |
| 15 Feb | Intsika Yethu Municipality | Government | TheGentlemen |
| 24 Feb | EnerTec | Manufacturing | Vect |
| 1 Mar | Diesel-Electric / Bosch SA | Automotive | LockBit 5 |
| 5 Mar | RE/MAX Southern Africa | Real Estate | Team Cyber Strike |
| 20 Mar | The Unlimited | Insurance | DragonForce |
| 21 Mar | Elundini Municipality (re-list) | Government | TheGentlemen |
| 22 Mar | Semenya Furumele Engineers | Engineering | Nightspire |
| 26 Mar | ETFSA | Financial Services | Incransom |
| 29 Mar | Statistics South Africa | Government | XP95 |
Fraud Hitting Your Business & Your Customers
AI-Powered Banking Fraud +86% YoY
Digital banking fraud in South Africa climbed to 97,975 incidents in 2024, an 86% year-on-year increase, with gross losses of R1.888 billion. Banking apps now account for 65.3% of fraud cases, and INTERPOL’s 2026 Global Financial Fraud Assessment warns that AI-enhanced scams are 4.5 times more profitable than traditional methods. Banks like Capitec report blocking more than 64,000 mule accounts in 15 months, while Discovery Bank cites zero card fraud by automatically blocking payments during active calls, underlining how policy and technical controls can materially reduce risk.
Tycoon2FA PhaaS Using .za.com for MFA Bypass
The disrupted Tycoon2FA phishing-as-a-service platform continues to operate
post-Europol takedown, with South African victims being targeted via lookalike
.za.com domains. Two domains, 811inboard.aeroprimelink.za.com and
pass.aeroprimelink.za.com, have been linked to MFA-bypass campaigns
against Microsoft 365 and Google accounts. Post-disruption activity includes BEC phishing,
thread hijacking, cloud account takeover, and SharePoint compromise, making it essential to
treat unfamiliar .za.com links as high-risk even though they resemble local domains.
Multi-Channel BEC and Vishing Pressure
Business Email Compromise remains a high-impact fraud vector, with the National Financial Ombud finding in favour of banks in 79% of fraud disputes, placing the burden firmly on customers. SMS now accounts for roughly 66% of BEC attack channels and messaging apps like WhatsApp for a further 32%, while SABRIC confirms that 100% of digital fraud cases involved compromised customer credentials through social engineering. Standard Bank customers have reported accounts being emptied after vishing calls, reinforcing the need for multi-channel verification rules, call-back policies, and fraud education for both staff and clients.
POPIA and Regulatory: Enforcement Phase
POPIA moved decisively into enforcement territory this month, with three formal actions now confirmed: Lancet Laboratories (R200,000 fine for breach notification failures), Blouberg Municipality (R500,000 fine for unlawful publication of financial disclosures), and FT RAMS Consulting (R200,000 fine for unlawful direct marketing). Blouberg and FT RAMS have refused to pay, and court proceedings have been initiated under Section 109, signalling that the Regulator is prepared to litigate to enforce compliance. In parallel, POPIA Monitoring Exercise notices under Section 40 are being issued, demanding full compliance documentation within 14 business days.
The Liberty breach is poised to become a high-profile benchmark case, as it triggers POPIA Section 22 mandatory notification duties, Joint Standard 2/2024 24-hour incident reporting to the FSCA and Prudential Authority, and potential GDPR exposure for EU-resident clients. Meanwhile, the FSCA/PA Joint Standard 2 is now in active enforcement, requiring a board-approved cybersecurity strategy, annual penetration testing, multi-factor authentication, continuous monitoring, and strong third-party risk oversight. Non-compliance is expected to attract fines comparable to FICA enforcement (tens of millions), particularly in banking and insurance.
Compliance Deadlines at a Glance:
• Immediate — POPIA health information processing safeguards (in force 6 March 2026, no grace period)
• 14 business days — Respond to any POPIA Monitoring Exercise notice under Section 40
• Active / Enforcement — FSCA/PA Joint Standard 2/2024: board-approved cyber strategy, annual pen testing, MFA, 24-hour reporting
• By June 2026 — RICA amendment draft legislation finalisation (SIM card controls)
• 1 July 2026 — SIM card registration crackdown starts (SAPS/NPA)
• October 2026 — SA FATF/FSRB mutual evaluation (inclusive of cybercrime and SIM/RICA enforcement)
Full Intelligence Report
The complete Week 14 technical report below includes XP95 and DragonForce threat hunt missions, the full IOC table for SIEM/EDR ingestion, a priority vulnerability matrix (including F5 BIG-IP, Cisco FMC, Citrix NetScaler, FortiOS, Langflow, and Trivy), OSINT exposure analysis, and a detailed regulatory and compliance section covering POPIA and Joint Standard 2 enforcement.
What Your Business Should Do Right Now
Immediate actions (this week):
- Patch F5 BIG-IP APM: Apply fixes for CVE-2025-53521 (CVSS 9.8), which is
now confirmed as a remote code execution bug exploited by Chinese nation-state actors. Check
for
/run/bigtlog.pipe,/run/bigstart.ltm, and file hash mismatches in/usr/bin/umountand/usr/sbin/httpd. - Verify Cisco FMC and Fortinet edge devices: Ensure Cisco FMC is patched against CVE-2026-20131 (Interlock campaign) and audit FortiOS for exploitation of CVE-2024-55591 and CVE-2026-24858, particularly in environments with Nightspire exposure.
- Audit internet-facing servers for XP95 exposure: Government and public sector organisations should immediately review all externally accessible servers for unpatched services and anomalous outbound transfers (>10 GB), especially scanner/printer servers and legacy infrastructure.
- Review Liberty exposure and strengthen fraud monitoring: If your organisation or employees use Liberty products, assume names and ID numbers may be exposed and enable enhanced monitoring for identity theft, account takeover, and synthetic identity fraud.
- Hunt for DragonForce and Incransom activity: Insurance and financial services organisations should execute targeted hunts for indicators linked to DragonForce (Log4Shell/Ivanti, MEGA/rclone exfiltration, Cobalt Strike) and Incransom (Citrix NetScaler CVE-2023-3519, webshells, unusual RDP/SMB lateral movement).
- Block Tycoon2FA and Interlock infrastructure: Add known
aeroprimelink.za.comsubdomains and Interlock C2 domains (browser-updater[.]com,os-update-server[.]*) to your blocklists and monitor for any historical traffic. - Check Trivy and Langflow in your CI/CD stack: If you used Trivy v0.69.4 or
mutable
trivy-actiontags around 19–20 March, treat those pipelines as compromised and rotate all secrets. Ensure Langflow is upgraded to at least 1.9.0 and not directly exposed to the internet. - Update BEC and vishing playbooks: Enforce an out-of-band verification rule for all payment instructions received via email, SMS, or messaging apps, and brief staff on AI-enhanced voice and chat scams that mimic executives and bank staff.