What Business Owners Need to Know This Week

Week 17 represents South Africa’s most severe concurrent cyber crisis on record. The threat level is upgraded to CRITICAL. Standard Bank, Africa’s largest bank by assets, had 1.2 TB of client data publicly released by threat actor ROOTBOY — 154 million SQL rows including client names, ID numbers, account details, and limited credit card data. The XP95 20 April deadline arrives at the end of this reporting window, with Stats SA (453K+ records) and GCRA (429K+ student records) legally prohibited from paying. ShinyHunters targeted Polmed — the SAPS medical scheme serving 100,000+ police officers — creating direct physical safety risk to law enforcement personnel. Adumo, SA’s largest independent payments processor (R80B+ annually), had POS source code and chip-and-PIN certification artefacts offered on the dark web. A Cisco IOS-XE CVSS 9.8 zero-day (CVE-2026-1834) is actively exploited with direct Salt Typhoon relevance.

The Bottom Line: South Africa faces simultaneous crises across four sectors in a single week: Government (XP95 deadline), Banking (Standard Bank 1.2 TB release), Law Enforcement (Polmed/SAPS), and Payment Infrastructure (Adumo POS). This is an unprecedented convergence. The Cisco IOS-XE zero-day adds fresh attack surface directly relevant to the confirmed Salt Typhoon SA telecom compromise. Boards must be briefed immediately on all four threat vectors.

The Week in Numbers

  • 2,204 cyberattacks per week targeting South African organisations — 36% year-on-year increase.
  • 105 cumulative SA ransomware victims as of 19 April 2026, up from 104 (W16).
  • 2 new confirmed SA victims in Week 17: Sunspray Food Ingredients and an ambulance service organisation.
  • 1.2 TB / 154 million SQL rows of Standard Bank client data publicly released by ROOTBOY.
  • 100,000+ SAPS officers affected by the Polmed / ShinyHunters breach, including residential addresses and command structure roles.
  • R80 billion+ in annual payment volume processed by Adumo, whose POS source code and chip-and-PIN artefacts were offered on the dark web.
  • 7 new CISA KEV entries in Week 17 scope, up from 2 in Week 16; 6 critical CVEs actively exploited.
  • 167 CVEs addressed in Microsoft’s April Patch Tuesday — the second-largest ever — including 2 zero-days.
  • 788 POPIA breach notifications received in Q1 2026 alone (IR disclosure 14 April).

Major Incidents: Who Was Hit and How

Standard Bank — 1.2 TB Data Release by ROOTBOY

Standard Bank Group, Africa’s largest bank by assets, had 1.2 TB of client data publicly released by threat actor ROOTBOY (also identified as PrinzEugen) on ransomware.live. The dataset contains an estimated 154 million SQL rows including client names, ID numbers, account details, and limited credit card data. Standard Bank issued client notifications confirming that names, surnames, ID numbers, and email addresses were exposed. The Information Regulator had already demanded coordinated transparency in Week 16; this release transforms it from a threatened breach to a confirmed mass data exposure event.

Polmed / ShinyHunters — 100,000+ SAPS Officers

ShinyHunters targeted Polmed, the South African Police Service medical scheme, exposing data on over 100,000 SAPS officers. The dataset includes residential addresses, command structure roles, medical history, and dependent information. This creates a direct physical safety risk for law enforcement personnel whose home addresses and unit assignments are now potentially accessible to criminal networks. No official SAPS statement had been issued as of 19 April.

Adumo — POS Source Code on Dark Web

Adumo, South Africa’s largest independent payments processor handling over R80 billion in transactions annually, had its POS terminal source code and chip-and-PIN certification artefacts offered on dark web forums. The exposure of payment processing source code and certification materials creates a systemic risk for the broader SA merchant ecosystem, potentially enabling card-skimming firmware development or bypass of PCI-DSS certification controls.

XP95 — 20 April Deadline Arrives

The XP95 20 April publication deadline for Statistics South Africa (154 GB / 453,362 files) and the Gauteng City Region Academy (147 GB / 429,473 student records) arrives at the end of Week 17’s reporting window. Neither entity has paid; both are prohibited from doing so by the PFMA. Data publication is now assessed as near-certain. Organisations with second-order PII exposure via Stats SA HR or GCRA bursary portals should activate prepared breach notification processes immediately.

Cisco IOS-XE — CVE-2026-1834 (CVSS 9.8) Zero-Day

A new Cisco IOS-XE zero-day (CVE-2026-1834, CVSS 9.8) is under active exploitation with direct relevance to the confirmed Salt Typhoon SA telecom compromise. The vulnerability enables remote code execution on Cisco IOS-XE devices without authentication. Any organisation running Cisco IOS-XE network infrastructure — routers, switches, or SD-WAN controllers — should apply Cisco’s advisory patches immediately and audit for GRE tunnel implants.

POPIA and Regulatory

The Information Regulator disclosed that 788 POPIA Section 22 breach notifications were received in Q1 2026 alone (14 April IR disclosure) — on pace to exceed the full-year 2025 total. The Liberty Group investigation continues with formal enforcement action expected following the Week 16 dual-entity transparency demand. The XP95 deadline lapse at Stats SA and GCRA will trigger additional Section 22 obligations for secondary-exposure organisations. April Patch Tuesday’s scale (167 CVEs) also triggers Joint Standard 2/2024 obligations for financial-sector entities to document patch assessment and remediation timelines.

Full Intelligence Report

The complete Week 17 technical report includes detailed Standard Bank breach scope analysis, ROOTBOY actor profile, Polmed exposure map, Adumo POS risk assessment, XP95 post-deadline analysis, Cisco IOS-XE CVE-2026-1834 exploitation chain, Salt Typhoon SA telecom update, and structured hunt missions (TH-2026-W17-01 to -05) with full IOC tables.

Download Intelligence Report (PDF)

What Your Business Should Do Right Now

  • Patch Cisco IOS-XE immediately (CVE-2026-1834, CVSS 9.8): Apply Cisco advisory patches for all IOS-XE devices. Audit for GRE tunnel implants, unexpected SNMP strings, and new local admin accounts consistent with Salt Typhoon TTPs.
  • Activate Standard Bank secondary-exposure response: If your organisation banks with Standard Bank or Standard Bank holds supplier/partner data about your clients, brief your privacy officer and prepare client communications. Monitor for targeted phishing using exposed ID numbers and contact details.
  • Alert Polmed-related staff: Any organisation employing SAPS officers or administering benefits under Polmed should brief HR and security teams. Physical security protocols for officers whose home addresses may be exposed should be reviewed with SAPS command.
  • Assess Adumo POS exposure: Merchants using Adumo-integrated POS terminals should contact Adumo for an incident update and assess whether firmware or certification updates are required. Monitor PCI-DSS compliance status.
  • Apply Microsoft April Patch Tuesday (167 CVEs): Prioritise the 2 zero-days patched in this cycle. Financial-sector entities must document patch assessment under Joint Standard 2/2024 requirements.
  • Activate XP95 second-order breach notifications: If your organisation submitted data to Stats SA HR portals or GCRA bursary programmes, the 20 April deadline has now lapsed. Activate prepared breach notification processes for affected data subjects.
Tags: StandardBank ROOTBOY Polmed ShinyHunters Adumo XP95 CiscoIOSXE SaltTyphoon POPIACompliance CriticalThreat