South African data breach highlights need for effective incident response

On 29 March, Statistics South Africa (Stats SA) reported that an unauthorised party had gained access to one of its human resources databases, potentially accessing information belonging to job seekers that apply online to join the service.

Local news outlets have reported that the attack was carried out by a cybercrime group known as XP95; that more than 400,000 files have potentially been compromised; and that a ransom of around R1.7 million (approx. £75,000) was demanded, failing which the files would be made public. Stats SA has said it would notify the South African Information Regulator and “be guided by their processes”.

The incident comes as cyber incidents are becoming increasingly commonplace across South Africa. A similar incident took place in March 2025 when South African real estate company Pam Golding Properties experienced a targeted attack on its customer relationship management system.

Such incidents are principally addressed through a combination of the common law, the Cybercrimes Act 19 of 2020, and South Africa’s Protection of Personal Information Act (POPIA). While the Cybercrimes Act creates offences that have a bearing on cybercrime – including cyber extortion – and regulates the powers to investigate cybercrimes, POPIA focuses on the protection of personal information and imposes obligations on organisations to safeguard personal data and notify affected data subjects of any suspected security compromises.

Under POPIA, the duty to notify data subjects of a security compromise arises where there are reasonable grounds to believe that personal information may have been accessed or acquired by an unauthorised person. It requires that the notification to the Information Regulator and affected data subjects must happen as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate interests of law enforcement.

Notices can be sent to the affected data subjects by post, email, or published on the responsible party’s website or in the media. They must provide the data subject with a description of the possible consequences of the security compromise, steps taken to address the compromise, sufficient information to allow data subjects to take protective measures, and recommended mitigation measures. 

Unlike article 33 of the EU’s General Data Protection Regulation, which requires the controller to notify the supervisory authority of a personal data breach within 72 hours, POPIA adopts a more subjective standard of notification. Instead, the notification to the Information Regulator and affected data subjects must be made as soon as reasonably possible. While more adaptable, unjustified delays will still attract regulatory scrutiny and require an explanation for the delay. 

Despite the escalating threat of cybercrime in South Africa, there has been some progress on the enforcement side. Since many of the POPIA regulations came into effect on 1 July 2021 and the Cybercrimes Act came into force on 1 December 2021, enforcement has increased.  In 2023, the Information Regulator, notably, imposed its first administrative fine of R5 million against the Department of Justice and Constitutional Development following a cyber incident and systemic POPIA non‑compliance. 

In 2025, South Africa also reported its first successful cybercrime conviction under the Cybercrimes Act. An individual was sentenced to eight years in prison for unlawfully accessing sensitive data after launching a cyber attack on his former employer in direct contravention of the Cybercrimes Act. 

Data privacy expert Mark Thomas of Pinsent Masons said this latest breach served as a stark reminder for organisations and businesses to have an incident response plan in place that allows them to detect and respond quickly to incidents when they occur. “The manner in which Stats SA reports the incident and cooperates with law enforcement will be closely watched,” he said. “Beyond the immediate operational impact at Stats SA, the incident is likely to attract regulatory attention from the Information Regulator, with a particular focus on incident response preparedness and POPIA compliance.”

Thomas added that this incident also underscores the need for public organisations to comply with South Africa’s data privacy law. “POPIA compliance is mandatory and this is a positive obligation that requires a proactive approach,” he said. “Simply saying that you will be guided by the Information Regulator is not good enough.”

Thomas said as cyber incidents become more frequent and enforcement more visible, organisations should also expect regulators to assess not only whether a breach has occurred, but how effectively it has been “anticipated, managed, communicated and addressed”.