What Business Owners Need to Know This Week
Week 19 brought one new SA ransomware listing and continued cascade pressure from the W15–W18 incident set. On 3 May, Stormous listed the Consumer Goods Council of South Africa (CGCSA) on its leak portal: claims include 151,000+ CRM documents, GS1 South Africa SharePoint access, Sage 200 Evolution backups, and partner data referencing Unilever, Nestlé, and L’Oréal. SA ransomware.live victim count moved from 105 to 107. Standard Bank / ROOTBOY daily dumps continued; Polmed / ShinyHunters forensic probe is ongoing; the XP95 deadline at Stats SA + GCRA remains lapsed without confirmed public release; and the Adumo source-code listing is unresolved. Microsoft Defender zero-days RedSun and UnDefend remain unpatched. The Information Regulator filed its first major enforcement court application — a Section 109 action against Blouberg Local Municipality on 30 April for an unpaid R500,000 fine — signalling a new phase of active enforcement.
The Bottom Line: The CGCSA breach exposes the full fast-moving consumer goods supply chain — any organisation that shares data with CGCSA members (Unilever, Nestlé, L’Oréal and others) should assess secondary exposure. The IR’s court filing against Blouberg marks the transition from warnings to legal action; unpaid POPIA fines are now a litigation risk. ConnectWise ScreenConnect exploited by Medusa ransomware is a critical patch priority for every SA MSP and organisation using remote support tools.
The Week in Numbers
- 107 cumulative SA ransomware victims as of 3 May 2026, up from 105 at end of Week 18 (net +2).
- 1 new SA ransomware listing in Week 19: CGCSA by Stormous (3 May).
- 151,000+ CRM documents claimed in the CGCSA breach, plus GS1 SharePoint access and Sage 200 Evolution backups.
- 5 active SA breach investigations ongoing: Standard Bank, Polmed, CGCSA, Adumo, XP95 fallout.
- 15 CISA KEV entries in Week 19 scope, up from 13 in Week 18.
- 2 Defender zero-days STILL UNPATCHED (RedSun, UnDefend) — manual hunting remains the only mitigation.
- R500,000 — unpaid POPIA fine that triggered the IR’s Section 109 court application against Blouberg Local Municipality on 30 April.
- CVE-2024-1708 (ConnectWise ScreenConnect) added to CISA KEV 28 April — actively exploited by Medusa ransomware (Storm-1175).
Major Incidents: Who Was Hit and How
CGCSA — Stormous Claims Consumer Goods Supply Chain Data
On 3 May, Stormous listed the Consumer Goods Council of South Africa (CGCSA) on its leak portal. CGCSA is the industry body representing FMCG manufacturers, retailers, and distributors in South Africa, including members such as Unilever, Nestlé, and L’Oréal. The claimed dataset includes 151,000+ CRM documents, GS1 South Africa SharePoint access (the global barcode and supply chain standards organisation), Sage 200 Evolution ERP backups, and partner data referencing major consumer goods brands. The breach potentially exposes supply chain partner data, trade pricing, compliance documentation, and member organisation contact databases across the entire SA consumer goods sector.
Standard Bank / ROOTBOY — Daily Dumps Continue
ROOTBOY (PrinzEugen) continued releasing Standard Bank data in daily batches through Week 19. The drip-feed publication strategy maximises reputational damage and maintains media pressure while the full 1.2 TB dataset is incrementally exposed. Standard Bank’s forensic investigation is ongoing; the confirmed scope (154M SQL rows, credit card data, passport numbers, SharePoint/OneDrive/Power Apps/Oracle SQL movement) continues to grow. Financial institutions and insurers with Standard Bank business accounts or data-sharing agreements should assess downstream exposure.
Information Regulator — Section 109 Court Action Against Blouberg
On 30 April, the Information Regulator filed a Section 109 court application against Blouberg Local Municipality for an unpaid R500,000 POPIA enforcement fine. This is the IR’s first significant court enforcement action of 2026 and marks a clear escalation from issuing fines to actively litigating for their collection. Any organisation that has received a POPIA enforcement notice and not paid or appealed should treat this as a direct signal that non-payment will be followed by court proceedings.
ConnectWise ScreenConnect — Medusa Ransomware Exploitation
CVE-2024-1708 (ConnectWise ScreenConnect authentication bypass) was added to the CISA KEV catalogue on 28 April, confirming active exploitation by Medusa ransomware (Storm-1175). ConnectWise ScreenConnect is widely used by South African MSPs and IT service providers for remote support. Any unpatched ScreenConnect instance is a direct entry point for ransomware deployment across the entire client estate managed by that MSP.
APT28 — Windows Shell NTLM Zero-Click Hash Leak
CVE-2026-32202 (Windows Shell NTLM hash leak) was added to CISA KEV on 28 April, attributed to APT28 (Fancy Bear, Russia-nexus). This zero-click vulnerability allows NTLM credential hash exfiltration without user interaction, enabling subsequent pass-the-hash lateral movement. Combined with APT28’s previously flagged SAMA financial-sector interest, this is a direct threat to SA banking and financial services organisations running Windows domain environments.
POPIA and Regulatory
The Blouberg Section 109 court filing establishes that the Information Regulator will pursue judicial enforcement of unpaid fines without further warning. Combined with the record 788 Q1 breach notifications, the IR is clearly building both enforcement capacity and legal precedent. The Verizon DBIR 2026 (published 29 April) confirmed that credential theft remains the leading breach vector globally — directly relevant to the NTLM and Bitwarden vulnerabilities active in SA this week. NIS2 cybersecurity-officer designation deadlines in Portugal (4 May) signal the direction of travel for SA’s own cybersecurity officer requirements under POPIA and emerging sector-specific regulation.
Full Intelligence Report
The complete Week 19 technical report covers the CGCSA breach and FMCG supply chain exposure, Stormous actor profile, Standard Bank daily-dump analysis, Blouberg IR enforcement precedent, ConnectWise ScreenConnect patch guidance, APT28 NTLM exploitation chain, Defender RedSun/UnDefend hunt updates, and structured hunt missions (TH-2026-W19-01 to -04) with full IOC tables.
What Your Business Should Do Right Now
- Patch ConnectWise ScreenConnect immediately: If your organisation or MSP uses ScreenConnect for remote support, patch CVE-2024-1708 without delay. Medusa ransomware is actively exploiting this vulnerability. An unpatched ScreenConnect instance can expose every client endpoint the MSP manages.
- Block NTLM relay opportunities (CVE-2026-32202): Apply the Windows Shell patch, enable SMB signing on all domain-joined systems, and block outbound NTLM to untrusted hosts at your perimeter. APT28 is exploiting zero-click NTLM leaks for lateral movement in SA financial sector targets.
- Assess CGCSA secondary exposure: If your organisation is a CGCSA member, shares supply chain data with CGCSA, or has business relationships with Unilever, Nestlé, or L’Oréal through CGCSA systems, assess what data may be in the claimed dataset and brief your data protection officer.
- Continue RedSun/UnDefend manual hunting: No patch is available. Run daily detection queries for Defender engine tampering, unexpected SYSTEM-level privilege escalation, and FortiGate VPN entry followed by AV disablement events.
- Review POPIA enforcement fine status: The Blouberg court filing signals that unpaid IR fines will be litigated. Any organisation with outstanding POPIA enforcement notices should consult legal counsel and assess payment or formal appeal options.
- Implement Verizon DBIR 2026 credential hygiene actions: Review privileged account password policies, enforce MFA on all remote access, and audit service account credential exposure in light of the confirmed credential-theft focus of active SA threat actors.