Between 16 and 28 October last year, individuals, presumed to be either employed by Postbank or by a Postbank contractor, stole at least R89,459,330 in cash through Sassa accounts. The brazen fraud involved illicitly crediting grant beneficiary accounts with large sums, and then emptying these accounts at ATMs. 

It is the second major security breach since the South African Post Office (Sapo) and its subsidiary, Postbank, took control of the bulk of the social grant system in 2018. 

In that year, the Postbank “master key”, a digital encryption code safeguarding customer ATM PIN codes and other encrypted means of accessing accounts, was stolen. Roughly R56-million was leached from Postbank accounts over the course of nearly two years, leading to an instruction from the South African Reserve Bank that Postbank reissue a reported 12 million cards at enormous expense.

This time around, the damage was far larger and faster. Approached for comment, Postbank confirmed the theft but stressed that the money was not stolen from customers – but rather from Postbank itself. 

“Postbank wishes not to provide too much information about the modus operandi of the cybercrime fraud incident in order to protect the sensitive processes of the investigation that is currently underway,” Postbank acting chief executive Kevin Maartens said in response to questions.

The scheme was accidentally discovered when a call centre operator noticed a Sassa grant beneficiary account with a balance of just under R100,000 – highly anomalous for a grant recipient. 

While the scam involved the use of cloned Sassa bank cards to withdraw funds, the cooperation of genuine grant recipients was seemingly necessary.

A report commissioned from Ankura Consulting Group to analyse the security breach noted that the perpetrators would have needed “a large-scale coordinated effort on the ‘outside’ to recruit beneficiaries willing to participate in allowing fraudulent activity to take place through their accounts”.

The Ankura report, dated 9 December, concluded that “the attack demonstrates high levels of sophistication on the part of the malicious actor, and a high degree of knowledge of the Postbank network, database structure and working practices”.

An external hack is possible in principle, but considered unlikely:

“Whilst it cannot be conclusively determined, due to the absence and deletion of log files, that the incident was caused by an ‘insider threat’ – an employee, unauthorised attacker with access to Postbank’s network and/or third party supplier with the necessary knowledge of, and access to the Postbank Oracle databases and wider infrastructure – this does perhaps seem a more plausible explanation based on the data reviewed by Ankura.”

On 28 October, the day the scam was discovered, the guilty parties allegedly set about covering their digital tracks by creating “malicious unauthorised” user accounts with privileged access to Postbank’s systems. These were used to erase audit trails until discovered and disabled by Postbank on 4 November, according to Ankura.

Postbank is the main custodian of the social grant system, paying out more than R10-billion to roughly eight million grant beneficiaries every month. A recipient of the old age grant would, for example, normally receive roughly R1,900 and withdraw the full amount. Finding tens of thousands of rands in a beneficiary account is a major red flag.

A “risk management report” produced by Maartens in December shows that a total of 279 accounts were used to fraudulently withdraw the funds.

“This modus operandi included only ATM transactions as the perpetrators tried to withdraw the funds as quickly as possible. The loss could not be determined with 100% accuracy and final numbers are not fully verified yet. The number is not expected to change materially and the loss amounts to R89,459,330,” reads the report.

“It is clear from the above that the exploitation of a substandard IT environment by attackers led to a major loss,” Maartens concluded.

According to him, “further processes of implementing additional security enhancing measures to make our environment more robust” are ongoing.

Who’s to know?

Earlier this month, the Sapo controversially presented its new turnaround strategy titled, “The Post Office of Tomorrow” to Parliament’s portfolio committee on communications. The presentation was done behind closed doors.

It is not clear whether the incident at Postbank, which is a subsidiary of Sapo but is currently being unbundled, was discussed at the meeting. In his report, Maartens claims that all relevant authorities, including the SA Reserve Bank (Sarb), were informed about the breach.

“The incident was reported to Sarb as required by the Banks Act. A formal Precca [Prevention and Combating of Corrupt Activities Act] report was also filed as required for losses above R100K… acknowledgement of the report was received from Sarb,” he said in his internal report.

However, when approached for comment, Sarb contradicted Maartens’ version.

“The South African Reserve Bank is not aware of any breach or compromise of the systems at the Post Office… Furthermore, the Prudential Authority does not supervise the Postbank SOC Limited as it is not a registered bank, in terms of the Banks Act.”

Postbank seemingly also kept the Department of Social Development – under which Sassa operates – in the dark.

“The department received no formal communication on the incident, and no grant beneficiaries were affected,” the department’s spokesperson, Lumka Oliphant, told amaBhungane in a text message.

Postbank doubled down on its version.

“On the question regarding the reporting protocols that were deployed by Postbank, Postbank maintains that the cybercrime incident was reported to the relevant law enforcement agencies [SAPS] as well as Sarb and Postbank’s cybercrime insurance provider within the prescribed time frame.”

No cover

The incident at Postbank has highlighted the vulnerability of state-owned entities to cybercrimes. It has revealed that at least some are allegedly unable to procure insurance against losses from cyberattacks in the first place.

According to Maartens’ report, Postbank was able to claim R75-million from its insurer and another R5-million from its Cell Captive to counter the losses. This left a dead loss of R9.5-million, plus expenses, of over R2-million.

The more serious problem is that Postbank’s insurance against cybercrimes of any sort is now exhausted until 31 July 2023 – and it cannot get any additional insurance.

“The lack of cover is obviously a major concern for both Sapo and Postbank,” reads Maartens’ report.

In the process of looking for extra cover, Postbank apparently discovered that its peers, other state-owned entities, had the same problem.

“We requested the insurance broker to go out to the market to try to source additional cover for Postbank. The broker approached all the local underwriters for proposals or options. The response was very clear, but very concerning. 

“The majority of the insurers responded that they do not insure any SOEs for cybercrime as the risk posture and control environments fall outside their risk appetite.” 

International insurers AIG and Marsh turned down Postbank’s business and this avenue “seems like a dead end”, said Maartens.

After failing to find insurance on its own, Postbank claims it turned to its peers among state-owned entities, asking who they are insured with. 

According to Maartens, Postbank approached the SA Revenue Service (SARS), the Industrial Development Corporation (IDC) and the State Information Technology Agency.

“The response was clear… these SOEs could not obtain cover from local insurers and they do not have any cybercrime cover.”

If true, this would be particularly concerning considering the ransomware attack on Transnet in July last year that shut down parts of the country’s port infrastructure for a week.

The IDC, however, denies being unable to secure adequate cyberattack insurance, saying that “claims about the IDC not being insured against losses from cyberattacks is wholly inaccurate”.

In response to questions, the state-owned financier said: “Like all finance institutions, the IDC is acutely aware of cybersecurity risks, has the appropriate cover and its embedded IT governance practices proactively deal with live threats of cyberattacks. 

“Due to risks associated with cybersecurity and material concerns we all have about it, the Corporation will not engage in hearsay or respond to unfounded statements by unrelated third parties.”

SARS and Sita did not respond to questions.

Questioned further, Postbank appeared to backtrack: “Postbank wishes to stress that the context of the information on cybercrime insurance within state-owned entities is the emphasis that Postbank has a different risk profile, and cybercrime insurance requirements, which are not necessarily comparable to the cyberinsurance products that other state-owned entities currently utilise.

“Regarding procuring additional cybercrime insurance and cybercrime insurance matters, Postbank is considering various options that do not exclude cell captive and/or self-assurance options following indications of a low market appetite of insurance for entities with our comparable risk profile and cybercrime insurance requirements. 

“The market exploration for an additional cybercrime insurer is also continuing, and the bank is adequately insured for risks other than cybercrime,” it said. DM

The amaBhungane Centre for Investigative Journalism is an independent non-profit organisation. We co-publish our investigations, which are free to access, to news sites like Daily Maverick. For more, visit us at www.amaB.org

[hearken id=”daily-maverick/9303″]