Dimitri Fousekis, chief technology officer and co-founder of South African cybersecurity firm Bitcrack Cyber Security, told MyBroadband that the leak appeared to be authentic.<\/p>\n\n\n\n
However, he said it was impossible to say how much data had been acquired, since the full extent of the leak could not be determined. Black X demanded a hefty sum for the database.<\/p>\n\n\n\n
When we initially reported on the alleged breach, we contacted the ANC for comment. The party did not respond to our queries and instead publicly denied the breach in a post on X\/Twitter.<\/p>\n\n\n\n
In the post, the ANC said that reports about the breach were “fake news” and called them “sensationalist.”<\/p>\n\n\n\n
“The ANC cautions against reckless speculation and the circulation of unverified claims designed to create unnecessary panic, fear, and political mischief,” it said at the time.<\/p>\n\n\n\n
A report by infostealer intelligence firm Hudson Rock then suggested that a malware infection had been linked to the ANC’s Internet domain.<\/p>\n\n\n\n
Infostealers are viruses that infect computers and harvest sensitive user data. Some just steal login credentials, while others may exfiltrate private keys for crypto wallets and other financial information.<\/p>\n\n\n\n
Responding to a follow-up query about the Hudson Rock report, the ANC told MyBroadband that it was aware of Black X’s claims of a data breach.<\/p>\n\n\n\n
“The ANC’s service provider, Emperio, undertook a Preliminary Security Incident Assessment in the immediate aftermath of the claim,” it said.<\/p>\n\n\n\n
Emperio completed the report and sent it to the Office of the Secretary General, after which the office considered the report and briefed the National Working Committee on the findings.<\/p>\n\n\n\n
“Emperio’s preliminary investigation identified no conclusive evidence of unauthorised access to the current production database under Emperio’s management,” the ANC said.<\/p>\n\n\n\n
“The threat claim is more consistent with an opportunistic threat or extortion attempt, or with possible historical data exposure predating Emperio’s current hosted environment, than with a verified breach.”<\/p>\n\n\n\n
The ANC said it had been in communication with the Information Regulator of South Africa since 15 May about the potential breach of private member data.<\/p>\n\n\n\n
“The Regulator recorded that it became aware of a possible security compromise on or about 15 May 2026 and set in motion the standing engagement protocol on its side,” the party said.<\/p>\n\n\n\n
“Engagement extends, on the ANC’s instance to SAPS report and SSA alert as the past data may include senior executive members in cabinet and state.”<\/p>\n\n\n\n
ANC in communication with the Information Regulator<\/h2>\n\n\n\n![\"\"](\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/03\/POPIA-Estates-Gate-Guards-Pansy-1200x675.jpg\")
Pansy Tlakula, Information Regulator chairperson<\/figcaption><\/figure>\n\n\n\nThe Information Regulator told MyBroadband that the party had not formally reported a security compromise as required in section 22 of POPIA.<\/p>\n\n\n\n
This section states that custodians of private data must inform the regulator if outside actors have potentially compromised people’s data.<\/p>\n\n\n\n
However, the party and the regulator were engaged in ongoing communications related to the Black X breach claims.<\/p>\n\n\n\n
“The ANC, following our communication to them, responded extensively, and we are still processing and considering their submission,” the regulator said.<\/p>\n\n\n\n
“We will thereafter determine the way forward or the course of action we will take.”<\/p>\n\n\n\n
The party said that, through Emperio, its ICT provider, it has taken measures to strengthen its standing security architecture.<\/p>\n\n\n\n
This began with rotating passwords and credentials and applying additional security patches on its official domain, which the hacker group said it targeted.<\/p>\n\n\n\n
“Administrative access exposure, including Remote Desktop Protocol (RDP) access, has been reviewed with a focus on restricting access to trusted sources only,” the ANC said.<\/p>\n\n\n\n
“Server and database configuration areas associated with higher risk have been reviewed \u2014 privileged access, SQL logins, suspicious changes, backup and export indicators, and high-risk features.”<\/p>\n\n\n\n
Emperio was also engaged in ongoing monitoring and log review to identify any new evidence or indicators of compromise that may arise.<\/p>\n\n\n\n
Existing vulnerabilities on the ANC’s systems<\/h2>\n\n\n\n![\"\"](\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/Fousekis-AWS.jpg\")
Dimitri Fousekis, co-founder and CTO of Bitcrack Cyber Security<\/figcaption><\/figure>\n\n\n\nAt the same time, the Office of the Secretary General commissioned a separate External Risk Assessment scan of the party’s public-facing domains and IP addresses.<\/p>\n\n\n\n
“That scan, dated 15 May 2026, has surfaced a discrete set of pre-existing hygiene exposures \u2014 historical credentials drawn from old third-party breaches,” it said.<\/p>\n\n\n\n
It also found typo-squatting domains targeting the ANC’s brand, and outdated security configurations across parts of the public-facing estate. “These exposures are being remediated,” it said.<\/p>\n\n\n\n
However, it said these exposures are unrelated to claims made by Black X, as they are separate from the membership system the hacker group said it breached.<\/p>\n\n\n\n
The Information Regulator told MyBroadband that the party had not formally reported a security compromise as required in section 22 of POPIA.<\/p>\n\n\n\n
This section states that custodians of private data must inform the regulator if outside actors have potentially compromised people’s data.<\/p>\n\n\n\n
However, the party and the regulator were engaged in ongoing communications related to the Black X breach claims.<\/p>\n\n\n\n
“The ANC, following our communication to them, responded extensively, and we are still processing and considering their submission,” the regulator said.<\/p>\n\n\n\n
“We will thereafter determine the way forward or the course of action we will take.”<\/p>\n\n\n\n
The party said that, through Emperio, its ICT provider, it has taken measures to strengthen its standing security architecture.<\/p>\n\n\n\n
This began with rotating passwords and credentials and applying additional security patches on its official domain, which the hacker group said it targeted.<\/p>\n\n\n\n
“Administrative access exposure, including Remote Desktop Protocol (RDP) access, has been reviewed with a focus on restricting access to trusted sources only,” the ANC said.<\/p>\n\n\n\n
“Server and database configuration areas associated with higher risk have been reviewed \u2014 privileged access, SQL logins, suspicious changes, backup and export indicators, and high-risk features.”<\/p>\n\n\n\n
Emperio was also engaged in ongoing monitoring and log review to identify any new evidence or indicators of compromise that may arise.<\/p>\n\n\n\n
Existing vulnerabilities on the ANC’s systems<\/h2>\n\n\n\nDimitri Fousekis, co-founder and CTO of Bitcrack Cyber Security<\/figcaption><\/figure>\n\n\n\nAt the same time, the Office of the Secretary General commissioned a separate External Risk Assessment scan of the party’s public-facing domains and IP addresses.<\/p>\n\n\n\n
“That scan, dated 15 May 2026, has surfaced a discrete set of pre-existing hygiene exposures \u2014 historical credentials drawn from old third-party breaches,” it said.<\/p>\n\n\n\n
It also found typo-squatting domains targeting the ANC’s brand, and outdated security configurations across parts of the public-facing estate. “These exposures are being remediated,” it said.<\/p>\n\n\n\n
However, it said these exposures are unrelated to claims made by Black X, as they are separate from the membership system the hacker group said it breached.<\/p>\n\n\n\n
At the same time, the Office of the Secretary General commissioned a separate External Risk Assessment scan of the party’s public-facing domains and IP addresses.<\/p>\n\n\n\n
“That scan, dated 15 May 2026, has surfaced a discrete set of pre-existing hygiene exposures \u2014 historical credentials drawn from old third-party breaches,” it said.<\/p>\n\n\n\n
It also found typo-squatting domains targeting the ANC’s brand, and outdated security configurations across parts of the public-facing estate. “These exposures are being remediated,” it said.<\/p>\n\n\n\n
However, it said these exposures are unrelated to claims made by Black X, as they are separate from the membership system the hacker group said it breached.<\/p>\n\n\n\n