X

This is not a paywall.

Register for free to continue reading.

We made a promise to you that we’ll never erect a paywall and we intend to keep that promise. We also want to continually improve your reading experience and you can help us do that by registering with us. It’s quick, easy and will cost you nothing.



Nearly there! Create a password to finish up registering with us:


Please enter your password or get a login link if you’ve forgotten


Open Sesame! Thanks for registering.

The great Sassa swindle - Theft of almost R90m in socia...

South Africa

AMABHUNGANE

The great Sassa swindle – Postbank theft of R89.4m via social grant system kept under wraps

Illustrative image | An elderly woman waits in line outside a Sassa office on 30 April 2021 in Bellville, South Africa. (Photo: Gallo Images / Brenton Geach) | Sassa grant recipients wait in long queues outside the Sharpeville Post Office on 14 January 2021. (Photo: Gallo Images / Fani Mahuntsi) | Gallo Images / Fani Mahuntsi | Adobe Stock

Unknown individuals, most likely working from inside the aspiring state-owned Postbank, stole millions through the social grant system late last year. The breach, which has been kept a secret, is the second time the Sassa payment system has been compromised since Postbank took charge of the social grant payment system in 2018.


Between 16 and 28 October last year, individuals, presumed to be either employed by Postbank or by a Postbank contractor, stole at least R89,459,330 in cash through Sassa accounts. The brazen fraud involved illicitly crediting grant beneficiary accounts with large sums, and then emptying these accounts at ATMs. 

It is the second major security breach since the South African Post Office (Sapo) and its subsidiary, Postbank, took control of the bulk of the social grant system in 2018. 

In that year, the Postbank “master key”, a digital encryption code safeguarding customer ATM PIN codes and other encrypted means of accessing accounts, was stolen. Roughly R56-million was leached from Postbank accounts over the course of nearly two years, leading to an instruction from the South African Reserve Bank that Postbank reissue a reported 12 million cards at enormous expense.

This time around, the damage was far larger and faster. Approached for comment, Postbank confirmed the theft but stressed that the money was not stolen from customers – but rather from Postbank itself. 

“Postbank wishes not to provide too much information about the modus operandi of the cybercrime fraud incident in order to protect the sensitive processes of the investigation that is currently underway,” Postbank acting chief executive Kevin Maartens said in response to questions.

The scheme was accidentally discovered when a call centre operator noticed a Sassa grant beneficiary account with a balance of just under R100,000 – highly anomalous for a grant recipient. 

While the scam involved the use of cloned Sassa bank cards to withdraw funds, the cooperation of genuine grant recipients was seemingly necessary.

A report commissioned from Ankura Consulting Group to analyse the security breach noted that the perpetrators would have needed “a large-scale coordinated effort on the ‘outside’ to recruit beneficiaries willing to participate in allowing fraudulent activity to take place through their accounts”.

The Ankura report, dated 9 December, concluded that “the attack demonstrates high levels of sophistication on the part of the malicious actor, and a high degree of knowledge of the Postbank network, database structure and working practices”.

An external hack is possible in principle, but considered unlikely:

“Whilst it cannot be conclusively determined, due to the absence and deletion of log files, that the incident was caused by an ‘insider threat’ – an employee, unauthorised attacker with access to Postbank’s network and/or third party supplier with the necessary knowledge of, and access to the Postbank Oracle databases and wider infrastructure – this does perhaps seem a more plausible explanation based on the data reviewed by Ankura.”

On 28 October, the day the scam was discovered, the guilty parties allegedly set about covering their digital tracks by creating “malicious unauthorised” user accounts with privileged access to Postbank’s systems. These were used to erase audit trails until discovered and disabled by Postbank on 4 November, according to Ankura.

Postbank is the main custodian of the social grant system, paying out more than R10-billion to roughly eight million grant beneficiaries every month. A recipient of the old age grant would, for example, normally receive roughly R1,900 and withdraw the full amount. Finding tens of thousands of rands in a beneficiary account is a major red flag.

A “risk management report” produced by Maartens in December shows that a total of 279 accounts were used to fraudulently withdraw the funds.

“This modus operandi included only ATM transactions as the perpetrators tried to withdraw the funds as quickly as possible. The loss could not be determined with 100% accuracy and final numbers are not fully verified yet. The number is not expected to change materially and the loss amounts to R89,459,330,” reads the report.

“It is clear from the above that the exploitation of a substandard IT environment by attackers led to a major loss,” Maartens concluded.

According to him, “further processes of implementing additional security enhancing measures to make our environment more robust” are ongoing.

Who’s to know?

Earlier this month, the Sapo controversially presented its new turnaround strategy titled, “The Post Office of Tomorrow” to Parliament’s portfolio committee on communications. The presentation was done behind closed doors.

It is not clear whether the incident at Postbank, which is a subsidiary of Sapo but is currently being unbundled, was discussed at the meeting. In his report, Maartens claims that all relevant authorities, including the SA Reserve Bank (Sarb), were informed about the breach.

“The incident was reported to Sarb as required by the Banks Act. A formal Precca [Prevention and Combating of Corrupt Activities Act] report was also filed as required for losses above R100K… acknowledgement of the report was received from Sarb,” he said in his internal report.

However, when approached for comment, Sarb contradicted Maartens’ version.

“The South African Reserve Bank is not aware of any breach or compromise of the systems at the Post Office… Furthermore, the Prudential Authority does not supervise the Postbank SOC Limited as it is not a registered bank, in terms of the Banks Act.”

Postbank seemingly also kept the Department of Social Development – under which Sassa operates – in the dark.

“The department received no formal communication on the incident, and no grant beneficiaries were affected,” the department’s spokesperson, Lumka Oliphant, told amaBhungane in a text message.

Postbank doubled down on its version.

“On the question regarding the reporting protocols that were deployed by Postbank, Postbank maintains that the cybercrime incident was reported to the relevant law enforcement agencies [SAPS] as well as Sarb and Postbank’s cybercrime insurance provider within the prescribed time frame.”

No cover

The incident at Postbank has highlighted the vulnerability of state-owned entities to cybercrimes. It has revealed that at least some are allegedly unable to procure insurance against losses from cyberattacks in the first place.

According to Maartens’ report, Postbank was able to claim R75-million from its insurer and another R5-million from its Cell Captive to counter the losses. This left a dead loss of R9.5-million, plus expenses, of over R2-million.

The more serious problem is that Postbank’s insurance against cybercrimes of any sort is now exhausted until 31 July 2023 – and it cannot get any additional insurance.

“The lack of cover is obviously a major concern for both Sapo and Postbank,” reads Maartens’ report.

In the process of looking for extra cover, Postbank apparently discovered that its peers, other state-owned entities, had the same problem.

“We requested the insurance broker to go out to the market to try to source additional cover for Postbank. The broker approached all the local underwriters for proposals or options. The response was very clear, but very concerning. 

“The majority of the insurers responded that they do not insure any SOEs for cybercrime as the risk posture and control environments fall outside their risk appetite.” 

International insurers AIG and Marsh turned down Postbank’s business and this avenue “seems like a dead end”, said Maartens.

After failing to find insurance on its own, Postbank claims it turned to its peers among state-owned entities, asking who they are insured with. 

According to Maartens, Postbank approached the SA Revenue Service (SARS), the Industrial Development Corporation (IDC) and the State Information Technology Agency.

“The response was clear… these SOEs could not obtain cover from local insurers and they do not have any cybercrime cover.”

If true, this would be particularly concerning considering the ransomware attack on Transnet in July last year that shut down parts of the country’s port infrastructure for a week.

The IDC, however, denies being unable to secure adequate cyberattack insurance, saying that “claims about the IDC not being insured against losses from cyberattacks is wholly inaccurate”.

In response to questions, the state-owned financier said: “Like all finance institutions, the IDC is acutely aware of cybersecurity risks, has the appropriate cover and its embedded IT governance practices proactively deal with live threats of cyberattacks. 

“Due to risks associated with cybersecurity and material concerns we all have about it, the Corporation will not engage in hearsay or respond to unfounded statements by unrelated third parties.”

SARS and Sita did not respond to questions.

Questioned further, Postbank appeared to backtrack: “Postbank wishes to stress that the context of the information on cybercrime insurance within state-owned entities is the emphasis that Postbank has a different risk profile, and cybercrime insurance requirements, which are not necessarily comparable to the cyberinsurance products that other state-owned entities currently utilise.

“Regarding procuring additional cybercrime insurance and cybercrime insurance matters, Postbank is considering various options that do not exclude cell captive and/or self-assurance options following indications of a low market appetite of insurance for entities with our comparable risk profile and cybercrime insurance requirements. 

“The market exploration for an additional cybercrime insurer is also continuing, and the bank is adequately insured for risks other than cybercrime,” it said. DM

The amaBhungane Centre for Investigative Journalism is an independent non-profit organisation. We co-publish our investigations, which are free to access, to news sites like Daily Maverick. For more, visit us at www.amaB.org

 

Gallery

Comments - share your knowledge and experience

Please note you must be a Maverick Insider to comment. Sign up here or sign in if you are already an Insider.

Everybody has an opinion but not everyone has the knowledge and the experience to contribute meaningfully to a discussion. That’s what we want from our members. Help us learn with your expertise and insights on articles that we publish. We encourage different, respectful viewpoints to further our understanding of the world. View our comments policy here.

All Comments 16

  • me not receiving any post or my wife not being able to renew her post box are obviously not related to attentions being pointed elsewhere
    No reason that Mark Barnes offers to sort the shit out are being ignored

  • South African style Ubuntu at work again !! Can you imagine the nightmare potential employers have in vetting gaps in CVs where the applicant says they were unemployed for a spell, and so ” how did you manage to survive ” and the blatantly untrue answer is “I made a Plan” instead of ” I got involved in SASSA grant fraud – it was lucrative for a while ” !!!

  • Absolutely all dealings in entities like SASSA should be completely transparent to the public and accessible online, including each and every recipient and how much is paid to them by taxpayers’ money.

  • …..and nothing can go wrong..go wrong..go wrong… When are we going to acknowledge that the ‘security’ of IT computer systems is worse than the old pre-IT systems. I worked in the UK’s banking system in the early 1960s. Each transaction was recorded by two seperate individuals, one on ledgers, the other on statements. This enabled the discovery of unusual account activity, forged signatures on cheques etc, mistakes by cashiers on the tills; and until the ‘Books’ balanced at the end of the day, even by 1 halfpenny, nobody went home until the error was found. These days who checks the computers??? This sort of fraud should have been picked up at the initial attempt, and questioned / reported. I ran into problems with modern IT systems when I paid salaries to my employees, same bank, same branch, but it took 3 days or more to arrive. Where did it go for those 3 days? It had left my account. Imagine a million transactions per day of R1000 in the country, with interest at over 10% – somebody was making a killing who could make a computer ‘lose’ this money for 3 days!

  • How on earth do bank systems not detect an obvious problem when R90m moves from SASSA or PostBank and then out through ATM’s in a few days???? How were those accounts created? At say R2000 per day per account for 13 days there must have been thousands of ghost bank accounts with ATM cards. New accounts especially should have pattern detection : new, large deposit, succession of cash withdrawals = a red flag that is so obvious…

  • Does a day go by without some major new expose of theft & corruption by those involved in state owned businesses? And, few of these rapacious thieves are ever charged, arrested or see the inside of a court room? And Frogboiler just talks & talks & talks while SA slowly implodes.

  • The ‘interesting’ part is how it was kept hidden for 5 months….
    How did the ‘banks’ not notice, suspect or more importantly report these anomalous transactions when these people turned them into piggy-banks?

  • Please peer review 3 community comments before your comment can be posted