Photo: Flickr/GCIS
Minister of Social Development, Sisisi Tolashe, has called an urgent meeting with the South African Social Security Agency (Sassa) and the Department of Social Development Executive Committee on Friday.
This is for them to account for an alleged data security breach within the social grant system.
“The country will be updated in due course on this matter,” said the department in a statement on Friday.
The meeting follows a report by GroundUp this week that revealed an expose regarding “massive fraud” in Sassa’s Covid-19 grant system.
The expose was authored by two first-year Computer Science students from Stellenbosch University Joel Cedras and Veer Gosai.
The pair claimed to have been searching for weaknesses in government and private-sector systems.
They said they’d done their research legally through the use of publicly available internet resources, like the backends of multiple government portals.
“We inform all relevant institutions of any vulnerabilities we find, and in most cases, give them sufficient time to address the issues before we disclose them publicly. We never exploit the vulnerabilities for our own benefit,” Cedras and Gosai said.
According to the pair, the investigation found critical security flaws where they were able to query 300,000 ID numbers rapidly without security barriers and revealed an implausible 91% application rate among February 2005-born individuals.
Cedras and Gosai said they also conducted an analysis of birth cohorts from 1960 to 2006 which showed a suspicious spike of about 90% in applications among recent 18-year-olds.
Additionally, they did a targeted survey and found that 56 out of 60 participants had fraudulent applications submitted in their names without their knowledge.
The investigation also uncovered successful fraudulent grant payments, suggesting systematic exploitation of Sassa’s system.
Cedras and Gosai said their efforts to reach Sassa after spotting the breach were in vain.
“Most of the contact numbers listed on their website either do not exist, or ring indefinitely.”
ALSO READ: Sassa’s SRD Grant system: Students expose alarming rate of fraudulent applications
Sassa on Wednesday denied the breach. However, they said they were aware of multiple attempts by individuals who were trying to take advantage of the government’s efforts to support marginalised communities.
The agency explained that its security measures have evolved in response to changing risk patterns.
“Sassa has implemented several countermeasures, including algorithms based on data and metadata to identify potentially fraudulent applications that require further identity verification,” the statement read.
According to Sassa, the measures were carefully designed considering that 60% of South African youth are unemployed and could qualify for the grant.
Sassa emphasised that it continued to balance fraud prevention with accessibility for legitimate applicants.
“It is thus a matter of vulnerability versus functionality that should be always balanced,” the agency said.
Looking ahead, Sassa announced it was “in the process of rolling out enhanced security measures for all SRD-related functions as part of the rollout of a new mobile app.”
The agency highlighted the importance of maintaining a balance between security and accessibility, noting that “Sassa must deploy its security measures without causing inconvenience to its client base while taking into consideration that a large part of our client base is not technology literate”.
ALSO READ: Sassa refutes claims of receiving 17 million SRD grant applications in one month
However, Parliament’s Portfolio Committee on Social Development wrote a letter to the minister requesting she call on Sassa and department officials to account.
“Sassa is expected to respond to the findings made by the two students and defend the system’s robustness to the committee’s satisfaction,” the Portfolio’s statement read.
The committee on Friday said it had invited the two students who wrote the article to present their findings.
Adding that this aligned with its mandate of regulating and monitoring Sassa’s work.
“Furthermore, the committee has requested the presentation of Mr Cedras and Mr Gosai to outline the legal frameworks and methods they used to access the SASSA grant payment system.”
The committee scheduled the meeting for 23 October at 09:30. The meeting will be in Room M46 in the Marks Building at Parliament.
Download our app and read this and other great stories on the move. Available for Android and iOS.
