{"id":637126,"date":"2026-04-02T08:00:17","date_gmt":"2026-04-02T06:00:17","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=637126"},"modified":"2026-04-02T09:06:01","modified_gmt":"2026-04-02T07:06:01","slug":"hackers-target-students-and-jobseekers-in-south-africa","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/637126-hackers-target-students-and-jobseekers-in-south-africa.html","title":{"rendered":"Hackers target students and jobseekers in South Africa"},"content":{"rendered":"\n<p>Three South African organisations have been breached in March 2026 by a group calling itself XP95, with all three incidents targeting data from job seekers and students.&nbsp;<\/p>\n\n\n\n<p>Student bursary provider the Gauteng City Region Academy (GCRA) is the latest target, following a successful <a href=\"https:\/\/mybroadband.co.za\/news\/security\/636993-south-african-government-agency-with-sensitive-data-breached-in-r1-7-million-ransomware-attack.html\">breach of Statistics South Africa<\/a> and the Gauteng Provincial Government before that.&nbsp;<\/p>\n\n\n\n<p>Doreen Mokoena, CEO of cybersecurity group Cybersec Clinique, commented about the breach on Twitter\/X. Cybersec Clinique provides cybersecurity solutions to notable South African companies.<\/p>\n\n\n\n<p>&#8220;We identified a live ransomware extortion listing targeting the Gauteng City Region Academy,&#8221; Mokoena stated. The listing was posted on the dark web hacker community BreachForums.<\/p>\n\n\n\n<p>Around 429,473 files were exfiltrated, amounting to 147GB of data. The threat actors have set 20 April 2026 as the deadline for paying the R1.7 million ransom, or it will be leaked online.<\/p>\n\n\n\n<p>GCRA is a government-funded bursary programme serving Gauteng students.&nbsp;&#8220;Students trusted this institution with their futures. Now their data is a bargaining chip,&#8221; said Mokoena.<\/p>\n\n\n\n<p>Real-time data breach aggregator and analyser VECERT <a href=\"https:\/\/x.com\/VECERTRadar\/status\/2038094842551566677\">reported<\/a> the GCRA breach, saying the data likely includes sensitive information about government funding.&nbsp;<\/p>\n\n\n\n<p>Academic data from students is also at risk, with scholarship records, academic transcripts, and records from South African universities now in the hands of criminals.&nbsp;<\/p>\n\n\n\n<p>VECERT also said that personal documentation, including identity documents and other private information, was included in the breach.&nbsp;<\/p>\n\n\n\n<p>In XP95&#8217;s other two attacks on South African targets, data belonging to people applying for jobs was stolen. Stats SA stated on Sunday that only one database was attacked.<\/p>\n\n\n\n<p>&#8220;The system that was breached is exclusively the HR system available for job seekers to apply online,&#8221; said Semakaleng Thulare, acting DDG Statistical Support and Informatics.<\/p>\n\n\n\n<p>Thulare said that the organisation will refuse to pay the R1.7 million ransom, the same amount set for the GCRA hack.&nbsp;<\/p>\n\n\n\n<p>Stats SA&#8217;s breach is strikingly similar to the <a href=\"https:\/\/mybroadband.co.za\/news\/security\/633359-south-africas-richest-province-hacked-with-gigabytes-of-personal-data-on-sale-for-r420000.html\">recent Gauteng Provincial Government breach<\/a>, where XP95 also targeted systems containing data from people seeking employment from the government.<\/p>\n\n\n\n<p>A total of 3.8TB of personal data was stolen from Gauteng, or around 3.7 million individual files. At the time, the threat actor was selling the files online for less than R420,000.<\/p>\n\n\n\n<p>We have reached out to the GCRA for comment on the incident, but it had not responded by the time of publication.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">A new hacker group is stealing information from South African organisations<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"539\" src=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/03\/Gauteng-XP95-GPG-Breach-Forums-announce-screenshot-1200x539.jpg\" alt=\"\" class=\"wp-image-633361\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/03\/Gauteng-XP95-GPG-Breach-Forums-announce-screenshot-1200x539.jpg 1200w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/03\/Gauteng-XP95-GPG-Breach-Forums-announce-screenshot-600x269.jpg 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/03\/Gauteng-XP95-GPG-Breach-Forums-announce-screenshot-768x345.jpg 768w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/03\/Gauteng-XP95-GPG-Breach-Forums-announce-screenshot.jpg 1232w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><figcaption class=\"wp-element-caption\">Screenshot of XP95 advertising its breach of the Gauteng Provincial Government<\/figcaption><\/figure>\n\n\n\n<p>The inevitable sale or publication of the trove of personal data XP95 stole will place users at risk of identity theft or &#8220;spearphishing&#8221; attacks that are more personalised and targeted.<\/p>\n\n\n\n<p>For example, a threat actor could spearphish an individual with an email that states, &#8220;Click this link to find out about your job application to Stats SA,&#8221; with malware embedded in the link.<\/p>\n\n\n\n<p>XP95 is a relatively new threat actor, and although many of its victims have been South African, it has also targeted organisations in other countries.<\/p>\n\n\n\n<p>News of the group first emerged on 5 March 2026, when it posted on Breach Forums by announcing the theft of medical data from the Spanish mental health platform eHolo Health.<\/p>\n\n\n\n<p>According to a <a href=\"https:\/\/databreaches.net\/2026\/03\/30\/south-african-government-agency-and-spanish-psychological-software-provider-victims-of-cyberattacks-by-xp95\/\">Databreaches.net report<\/a>, eHolo attempted to bargain with XP95, which failed and eventually led to the leaking of user information online.<\/p>\n\n\n\n<p>&#8220;The company themselves valued their customer and patient data at only 80,000 USD. For us, this amount is insignificant,&#8221; the threat actor reportedly said. XP95 had asked for $300,000.<\/p>\n\n\n\n<p>&#8220;We are therefore releasing everything for free to set a clear example for other companies that believe they can ignore serious breaches without consequences.&#8221;<\/p>\n\n\n\n<p>According to the threat actor, the breach of eHolo was partly due to what it called &#8220;proud claims&#8221; from the company that its patients&#8217; data security was its top priority.<\/p>\n\n\n\n<p>&#8220;Their privacy policy and blog posts talk endlessly about how much they &#8216;care about patient confidentiality and data security,&#8217; their actions during this real incident showed complete negligence and disregard.&#8221;<\/p>\n\n\n\n<p>XP95 said the leak wasn&#8217;t just about money; it was about &#8220;exposing the hypocrisy&#8221; of these types of companies.<\/p>\n\n\n\n<p>No activity is known for the group before 5 March 2026. It is likely named after older Microsoft operating systems, as the group&#8217;s leak site is styled to resemble Windows 95 and Windows 2000.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The new hacker group XP95 has targeted South African government organisations to steal jobseeker and student data.<\/p>\n","protected":false},"author":341213,"featured_media":637323,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[104144,104142,104141,104143,86647,801,103766],"class_list":["post-637126","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-breachforums","tag-cybersec-clinique","tag-doreen-mokoena","tag-gauteng-city-region-academy","tag-gauteng-provincial-government","tag-malware","tag-xp95"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/637126"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=637126"}],"version-history":[{"count":13,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/637126\/revisions"}],"predecessor-version":[{"id":638055,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/637126\/revisions\/638055"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/637323"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=637126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=637126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=637126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}