What Business Owners Need to Know This Week
Week 16 is the final full week before the XP95 20 April data publication deadline. Neither Statistics South Africa (154 GB / 453,362 files) nor the Gauteng City Region Academy (147 GB / 429,473 student records) has paid — both are legally prohibited from doing so under the PFMA. XP95 posted 6 new global victims in a single 24-hour window on 9 April, demonstrating active operational tempo at the worst possible moment. Simultaneously, Salt Typhoon (China-nexus) confirmed targeting a South African telecom provider via compromised Cisco IOS-XE routers — the first publicly confirmed nation-state telecom breach in SA. The Information Regulator publicly demanded coordinated transparency from both Liberty Group and Standard Bank, marking the first time the IR has compelled dual-entity coordinated disclosure.
The Bottom Line: The XP95 20 April deadline is 7 days away. Data release from Stats SA (154 GB) and GCRA (147 GB) is now operationally expected in Week 17. Salt Typhoon’s confirmed SA telecom breach means passive traffic interception is already in progress. Any organisation with critical communications routed through SA telecoms should assume potential exposure. Boards should be briefed on the XP95 deadline, the Salt Typhoon telecom risk, and the IR’s new dual-entity disclosure posture.
The Week in Numbers
- 2,204 cyberattacks per week targeting South African organisations — a 36% year-on-year increase.
- 104 cumulative SA ransomware victims as of 12 April 2026, up from 103 at end of Week 15.
- 1 new confirmed SA victim in Week 16 — Megasurf ISP, claimed by Krybit.
- 6 new global XP95 victims posted in a single 24-hour window on 9 April, demonstrating sustained operational tempo.
- 7 days remaining until the XP95 20 April publication deadline for Stats SA (453,362 records) and GCRA (429,473 student records).
- 2 new CISA KEV entries in Week 16 scope; 4 critical CVEs actively exploited in SA-relevant stacks.
- $100,000 / R1.7 million — XP95 ransom demand, unchanged; government entities cannot legally pay under PFMA.
- First confirmed nation-state SA telecom breach — Salt Typhoon, via Cisco IOS-XE GRE tunnel implantation and passive traffic interception.
Major Incidents: Who Was Hit and How
Salt Typhoon — First Confirmed SA Telecom Breach
Salt Typhoon (China-nexus, also tracked as Earth Estries / GhostEmperor / RedMike) confirmed targeting an unnamed South African telecom provider, identified by Recorded Future and reported by TechCrunch. The attack method mirrors Salt Typhoon’s global playbook: exploitation of Cisco IOS-XE routers, GRE tunnel implantation, passive traffic interception, and SNMP abuse. Salt Typhoon has previously breached AT&T, Verizon, T-Mobile, and 9+ US carriers, as well as telecoms across Europe and Asia. This is South Africa’s first publicly confirmed nation-state telecom infrastructure breach. Organisations relying on SA telecom infrastructure for sensitive communications should assume the possibility of passive interception and review their encryption posture.
Megasurf ISP — Krybit Ransomware
Megasurf, a South African internet service provider, was claimed by the Krybit ransomware group in Week 16. This brings the cumulative SA victim count to 104. The incident highlights continued targeting of SA internet infrastructure operators, consistent with the broader ISP-sector pressure seen in prior weeks. Krybit is a relatively new group with a focus on SME-scale service providers.
Liberty Group & Standard Bank — IR Compels Dual-Entity Disclosure
The Information Regulator publicly demanded greater transparency from both Liberty Group and Standard Bank on 10–11 April — the first time the IR has compelled coordinated dual-entity disclosure. This is a precursor stage; no formal Enforcement Notice had been published as of 12 April. Formal enforcement action in Week 17 is anticipated. Both entities face continued forensic investigation, with Standard Bank client notifications ongoing.
XP95 — Stats SA & GCRA Deadline Approaches
Neither Statistics South Africa nor the Gauteng City Region Academy has paid XP95’s US$100,000 ransom demands, and both are legally prohibited from doing so under the Public Finance Management Act. XP95 has posted 6 new global victims in a 24-hour window on 9 April and maintains active Telegram proof-of-exfil posts. The 20 April deadline means that approximately 882,000 combined records (453,362 from Stats SA HR portal + 429,473 GCRA student and bursary records) are 7 days from public release. Secondary organisations that submitted data to Stats SA or recruited from the GCRA bursary pool face second-order PII exposure.
POPIA and Regulatory
The Information Regulator’s escalating posture in Week 16 — compelling coordinated dual-entity disclosure from Liberty and Standard Bank — signals a more aggressive enforcement stance entering Q2 2026. The IR has not yet issued public advisory to the 453,000+ Stats SA data subjects or the 429,473 GCRA students, representing a significant notification gap. The Auditor-General expanded April 2026 findings flagged systemic governance weaknesses across public-sector entities, compounding the regulatory risk environment. POPIA Section 22 breach notifications for FY 2025/26 stand at 2,898+ (to 5 March 2026) — a 15-fold increase on the 2021/22 baseline.
Full Intelligence Report
The complete Week 16 technical report includes detailed coverage of Salt Typhoon’s SA telecom compromise methodology, XP95 deadline analysis, Cisco IOS-XE exploitation chain, Krybit actor profile, updated threat actor profiles, OSINT exposure analysis, and structured hunt missions (TH-2026-W16-01 to -04) with full IOC tables for SIEM/EDR ingestion.
What Your Business Should Do Right Now
- Prepare for XP95 data publication on 20 April: If your organisation has ever submitted data to Stats SA job portals or the GCRA bursary programme, prepare second-order breach notification templates, staff FAQs, and call-centre scripts now. Do not wait for confirmation of publication.
- Audit Cisco IOS-XE routers immediately: Check for Salt Typhoon IOCs — GRE tunnel interfaces not in your baseline, unexpected SNMP community strings, and new local admin accounts. Apply Cisco’s IOS-XE hardening guidance and verify integrity of running configurations against known-good backups.
- Encrypt all sensitive communications: Given Salt Typhoon’s passive interception capability on SA telecom infrastructure, ensure TLS 1.3 is enforced end-to-end for all business-critical applications and that no sensitive data traverses unencrypted channels.
- Check Liberty/Standard Bank secondary exposure: Organisations with Liberty insurance products or Standard Bank business accounts should assume potential client data exposure and enhance monitoring for targeted phishing using exposed client details.
- Block XP95 exfiltration channels: Implement DNS/proxy blocking for MEGA.nz (
g.api.mega.co.nz,mega.nz) and known Telegram API ranges, as XP95 uses these as primary exfiltration and proof-of-data channels. - Verify POPIA Information Officer registration: Only ~14% of organisations required to register have done so. With IR enforcement escalating, confirm your POPIA IO is registered and that your Section 22 breach response plan is current.