The Gauteng Provincial Government was lucky with cyber attack, but a potential crisis is clear to see. (Photo: iStock) The initial alert was brief but alarming: a new ransomware syndicate had just dumped a massive cache of South African government data on the dark web.
But, after immediately forwarding the link to Darknotify – a boutique, under-the-radar threat intelligence outfit run by two brilliant Stellenbosch University graduates who serve as Daily Maverick’s primary research resource for these digital tremors – it turned out to be not as bad as it seemed.
Ten minutes later, the Stellies duo confirmed the nightmare. A Ransomware-as-a-Service (RaaS) syndicate operating under the moniker XP95 had successfully lifted 3.8 terabytes of data from the Gauteng Provincial Government.
Comprising 3,673,556 individual files, the data haul has been slapped with a $25,000 (about R417,300) price tag – so a Chery Tiggo Cross will unlock the haul.
To prove they aren’t bluffing, the threat actors dumped a 1.8GB sample online. The contents are a potential privacy catastrophe: high-resolution copies of ID documents, passports and CVs. These are the intimate digital paper trails of citizens (probably job seekers) who trusted the provincial state with their personal information.
Premier Panyaza Lesufi’s administration predictably scrambled to the podium. Lesufi assured the public that the government is “on it”, explaining that internal security protocols had been activated. Spokesperson Elijah Mhlanga swiftly followed up, warning that “speculation at this stage would be premature”.
The open digital window
But thanks to the metadata, we don’t need to speculate. The autopsy of this breach is already being written, and the cause of death is catastrophic infrastructural neglect.
Usually, when we analyse a breach of this magnitude, the conversation immediately pivots to human error.
Bryan Palma, CEO of security awareness agency KnowBe4, is adamant that the human element is the primary attack vector in the modern threat landscape.
Cybercriminals rarely “hack” any more; they log in, usually by tricking an employee through sophisticated phishing or social engineering. Palma was in South Africa on his first visit since taking the reins in 2025 and preached to the media over dinner about a broader, systemic societal risk: the danger of “cognitive offloading.” As we rush to adopt digital transformation, we rely too heavily on technology without building the foundational, deep-subject knowledge required to manage it.
We are producing a workforce that is “less empowered” and fundamentally unable to master the tools they deploy.
But here is the terrifying kicker about the Gauteng breach: this wasn’t that. XP95 didn’t need to trick a tired municipal worker into clicking a malicious link. They didn’t need to exploit human psychology or bypass a sophisticated firewall using social engineering.
According to Darknotify’s forensic analysis, the breach most probably originated from an internal scanner server. In the cybersecurity world, leaving an insecure, internet-facing scanner server on your network is the digital equivalent of installing a state-of-the-art biometric lock on your front door, but leaving the ground-floor windows wide open.
The Gauteng Provincial Government didn’t fall victim to human error; the government simply left the machines unguarded.
Internal assessments reveal a horrifying reality: 70% of the provincial government’s provincial network devices – totalling more than 1,734 individual hardware units – had already reached their end-of-service (EOS). Worse still, the core network infrastructure reached its end-of-life in December 2024. For more than a year, the economic hub of the continent has been running on obsolete digital life support.
When you combine that with a threat landscape where South African entities endure an average of 2,145 cyberattacks per week, a breach wasn’t just likely; it was mathematically inevitable.
Shiny objects and systemic rot
How does a province with a multibillion-rand budget allow its core digital backbone to rot? The answer lies in a toxic cocktail of bureaucratic paralysis and political vanity.
Provincial governments are legally shackled to the State Information Technology Agency (Sita) for core IT procurement. This creates an administrative purgatory. Departments are forced to run dangerously outdated systems while waiting for glacial Sita tenders to be finalised.
But the Democratic Alliance (DA) argues that blame cannot be laid entirely at Sita’s door. Michael Waters, the DA Gauteng spokesperson for e-Government, points to a deliberate misallocation of resources.
“Over the past few years, the GPG has spent hundreds of millions of rands on technology projects that fall outside the core mandate of e-Government,” Waters said in the wake of the breach. “These include large-scale CCTV surveillance systems, drones and a panic-button application for community safety initiatives.”
While these projects generate excellent political headlines, they drastically expand the province’s digital attack surface without fortifying the underlying network.
“The breach we are seeing today should not be treated as an isolated incident. It is the predictable consequence of years of neglect, misplaced priorities and weak oversight,” Waters said.
The uncomfortable truth
Look at the timeline of the past decade. From City Power and the Department of Justice to the Companies and Intellectual Property Commission, the National Health Laboratory Service and the Land Bank, the South African state has served as a punching bag for global cybercriminals. We are bleeding data, crippled by a severe human capital deficit where only one in three dedicated public sector cybersecurity positions is filled.
But, looking at the sheer incompetence that led to the XP95 breach, one cannot but conclude one thing: Gauteng actually got off lucky.
Yes, the exposure of 3.8 terabytes of citizen IDs and CVs is a massive, unforgivable privacy violation. But the compromised node was an isolated scanner server. It wasn’t the provincial treasury. It wasn’t the databases controlling local power grids, traffic management systems or hospital life support.
If threat actors could walk away with nearly four million files simply because a server was too old to be patched, imagine what a sophisticated, targeted attack could do to the province’s critical infrastructure.
Gauteng survived a graze from a stray bullet this week. But with obsolete hardware, misplaced budgets and a gaping lack of foundational cybersecurity skills, the real question is: how long can its luck hold? DM