Picture: sassa.co.za
A forensic investigation commissioned by the Department of Social Development has uncovered alarming security vulnerabilities in the South African Social Security Agency (Sassa)’s Social Relief of Distress (SRD) grant system, potentially putting beneficiaries’ personal information at significant risk.
Masegare & Associates Incorporated, the investigative firm hired to examine the system, revealed critical security gaps that could expose sensitive data to potential cyber-attacks.
The investigators’ findings were presented in Parliament on Wednesday, after the Minister of Social Development Sisisi Tolashe recommended a comprehensive investigation of the SRD system and all other grant systems administered by Sassa, with the investigation to be completed within 30 days.
It was found that the Sassa online system currently does not have encryption for sensitive data such as IDs, permits, or banking details.
The investigations came as two first-year students from the University of Stellenbosch, Joel Cedras and Veer Gosai, claimed the SRD application system was vulnerable to digital threats.
The pair claimed to have been searching for weaknesses in government and private-sector systems.
They said they’d done their research legally through the use of publicly available internet resources, like the backends of multiple government portals.
“We inform all relevant institutions of any vulnerabilities we find, and in most cases, give them sufficient time to address the issues before we disclose them publicly. We never exploit the vulnerabilities for our own benefit,” Cedras and Gosai said.
The pair were able to query 300,000 ID numbers rapidly without security barriers and revealed an implausible 91% application rate among February 2005-born individuals.
ALSO READ: ‘We were found wanting’: Sassa aware of social grant ‘fraud breaches’ since at least 2023
A later system assessment revealed multiple critical vulnerabilities, including weak authentication mechanisms, improper server configurations, inadequate data encryption, and missing security headers.
Moreover, multiple applications per cellphone number, exposed system directories, and login security where the “login page is vulnerable to automated attacks where hackers can repeatedly guess passwords to access sensitive accounts”, were some of the system weaknesses found.
“The medium threat level classification indicates that while the system is not at high risk, there are still important vulnerabilities that need to be addressed to ensure its security,” explained Masegare & Associates’ Stanley Matshote.
However, despite being classified as medium risk, Matshote said these vulnerabilities posed a significant chance of unauthorised information access, system disruptions, and non-compliance with data protection laws.
According to the investigation, specific security concerns include login pages vulnerable to automated attacks, and system misconfigurations allowing unauthorised access.
Additionally, weak content security policies, exposed system directories, and unprotected backup files were some of the loopholes.
While Matshote did not confirm all of the students’ findings, he said Masegare & Associates’ conclusions aligned with those of Cedras and Gonsai.
“We have done a vulnerability assessment and our findings show that we have gaps in our system that require attention,” said Matshote.
Responding to an MP’s question, Matshote said they could not determine whether or not the students hacked the Sassa system.
“We don’t know yet because this [the allegations] is coming from them. They may have hacked the system, and by hacking we are saying it’s just bypassing the way the system should operate. Yes they may claim that they did not hack the system, but that is their word,” he said.
ALSO READ: Sassa social grant security breach: Minister wants answers
Minister of Social Development Sisisi Tolashe acknowledged the system’s faults and committed to a thorough investigation.
She promised to employ consequence management and uncover those responsible for fraudulent activities, such as using a single ID number for multiple applications.
Tolashe confirmed that the matter was referred to the Special Investigating Unit (SIU) and the State Security Agency (SSA), though no response was received within the specified timeframe of 30 days granted to them by the committee.
Speaking to the media after the meeting, Tolashe said she had requested an extension because she found the 30-day deadline insufficient to do a full investigation.
ALSO READ: CYBER ATTACKS: ‘Open’ home affairs systems could spark large-scale identity theft
Investigators recommended several critical security improvements, including implementing end-to-end encryption, conducting regular security audits, and strengthening multi-factor authentication.
“The system may be vulnerable to undetected attacks or exploits if not regularly tested for security weaknesses.
“The Sassa system should conduct regular security audits and penetration testing to identify potential vulnerabilities and proactively address them, this will help maintain a strong security posture and ensure the SRD system is resilient against emerging threats.”
They also advised that the system be updated to limit multiple applicants per cellphone number, and expand biometric verification.
NOW READ: Govt can’t keep you safe: IT vulnerabilities could collapse SA in 3 days
Download our app and read this and other great stories on the move. Available for Android and iOS.
