‘We were found wanting’: Sassa aware of social grant ‘fraud breaches’ since at least 2023

Minister of Social Development Sisisi Tolashe has addressed an alleged security breach of social grants, admitting that the department has been “found wanting”.

The minister appeared before Parliament’s Portfolio Committee on Social Development on Wednesday.

Two first-year Computer Science students from Stellenbosch University, Joel Cedras and Veer Gosai, recently wrote a GroundUp expose on alleged “massive fraud” in the South African Social Security Agency’s (Sassa) grant system.

Issue has been known for several months

Speaking on the alleged breach, Tolashe said the issues raised by the students had existed since at least 2023 but admitted a culture of procrastination persisted and the department was “found wanting”.

“We will take it upon ourselves to find out what this animal is and how much has it eaten up of the fiscus.”

She said the department’s large budget, R35 billion allocated for grants, made it attractive to criminals who “make a career” out of trying to exploit the system.

Tolashe asked for a report on the issue within 30 days.

The minister said the system had struggled to keep up with the sharp increase in social grant recipients from 2.4 million in 1998 to the current 28 million.

ALSO READ: Sassa’s SRD Grant system: Students expose alarming rate of fraudulent applications

Grant application ‘complications’

In their presentation, the students claimed they had asked students on campus to use their IDs to apply for a Social Relief of Distress (SRD) grant.

Of the 60 people asked, 58 had current applications on the system.

However, 56 of these 58 had not made the application themselves.

They also found bank accounts allegedly opened in people’s names without their knowledge, often just months after they turned 18.

They found three main “complications” with the process.

• There was no form of authentication on the system
• There were many suspected fraudulent applications,
• It is too easy to apply for the SRD grant.

Gosai highlighted system failures, noting that it failed to detect his status as a taxpayer earning above the threshold, indicating poor inter-departmental data sharing.

Their investigation also uncovered additional concerns when a Sassa customer care representative revealed that the publicly announced facial verification system had not been implemented.

This was discovered after Cedras made multiple attempts to obtain an SMS facial verification link while investigating potential identity theft. However, the pair claimed all their attempts to secure the verification link were in vain.

“The EKYC or e-ID verify system has not been put in place. We maybe can assume that people haven’t been trained on it yet and it might be in place,” Gosai explained.

The students suggested that Sassa’s inability to address their concerns stemmed from the agency’s hotline being inadequately equipped to handle numerous cases.

They recommended the Sassa SRD grant system be restarted with stricter verification processes.

ALSO READ: Sassa social grant security breach: Minister wants answers

‘We are not hackers’

During the briefing Cedras and Gosai defended themselves against accusations of hacking the Sassa system, explaining that they only utilised publicly available resources.

“We used the Sassa publicly available systems to generate our data,” Gosai clarified.

The pair emphasised that their investigation was conducted in their capacities, which they argued exempted them from Protection of Personal Information Act (Popia) requirements.

Cedras maintained their methods were legal.

“All we simply did was use an algorithm to generate hundreds of thousands of ID numbers. But there was nothing illegal about that,” he explained.

He noted that ID numbers were composed of public information that could be found on government websites.

Allegation of fraud embarrassing to the minister

African National Congress Member of Parliament Tshilidzi Bethuel acknowledged the gravity of the situation, stating that if the students’ findings about non-functional Sassa numbers were confirmed, it would be particularly embarrassing for the minister.

“Any form of allegation of fraud and corruption, if found to be true, will be embarrassing,” he stated.

Bethuel recommended implementing enhanced tools and capability developments for vulnerability assessments, mandating that

“Formal documentation of discovered vulnerability has to be made to the minister within the next 30 days.”

The committee’s chairperson, Bridget Staff Masango adjourned the meeting for 30 days to give Sassa a chance to formulate a reply to the students’ presentation.