Brothers sound alarm as millions of students’ details left vulnerable to weaknesses in NSFAS system

Two information-technology-savvy brothers, Conner and Jordan Bettridge, have discovered serious flaws and vulnerabilities in the National Student Financial Aid Scheme’s (NSFAS) problematic Information and Communication Technology (ICT) system that could have exposed millions of students’ personal data, including bank accounts, that potential scammers could have gained access to and manipulated to their benefit.

This came after Connor, the younger brother, who is studying Computer Science at Varsity College in Cape Town, accessed the NSFAS portal while helping someone with a funding application. Gaining access to the communication page, Connor said that he saw students’ details, addresses, gender and income, including bank accounts.

Daily Maverick spoke to the older brother, Jordan, who works full-time at an insurance technology company. Jordan said his brother asked him to do more digging on the issue.

“The found vulnerability was where you could gain access to any SMSes and emails that were sent out by the NSFAS system, so any time an applicant or a staff member or anyone logs in, you can see their one-time pins, you can see them signing up, you can see all of their personal information, like their ID numbers… It wasn’t difficult at all. You could write a script in 20 minutes that literally pulls every single SMS and email that the NSFAS system has sent, along with all the person’s information going all the way back to 2022. There were probably somewhere between half a million and a million applicants,” said Jordan.

“After some more digging, I was able to look at the code on the website because it’s slightly obfuscated, but I was able to de-obfuscate it, go through the code. I realised that it’s not just our side of the admin or our side of the dashboard that we’re able to see. We’re able to see the code for the admin dashboard. And by looking at that, I was able to find all the Application Programming Interface (API) endpoints relating to the admin dashboard. They weren’t secured. As an admin, I could decline people’s funding requests. I could change their banking details. I could withdraw active funding,” he said.

NSFAS ICT system problems

Daily Maverick has extensively covered NSFAS’ chronic ICT system failures, highlighting issues like payment backlogs, tech woes and manual processes, leading to student anxiety, accommodation crises and demands for accountability from MPs.

Read more: MPs demand accountability as NSFAS struggles with payments, backlogs and ICT failures

In 2024, former NSFAS administrator Freeman Nomvalo told the Portfolio Committee on Higher Education that NSFAS’ ICT systems were not working well and were vulnerable to cyberattacks.

“Some of the things we have picked is that it is possible that information relating to students could be vulnerable to abuse.”

Consequences of a weak system

Some of these vulnerabilities, according to Jordan, could lead “a person to change banking details of students to their own banking details. NSFAS will pay them all of the funding that’s supposed to go to those students… I mean, if they can do anything from something as simple as, like, quite often on the dark web, you’ll find people selling data leaks, so some data broker will go, and they’ll condense all of this information about everyone, and they’ll sell it to the highest bidder,” said Bettridge.

Alerting NSFAS

After this major discovery, both brothers tried to contact NSFAS to act promptly on this issue of flaws. According to Jordan, he tried to get in contact with NSFAS via the call centre; however, he did not get through to anyone.

“That’s when I got in contact with MyBroadband, and I managed to get in contact with some people via WhatsApp, the media team, as well as the I think the NSFAS acting CEO (Waseem Carrim). They closed the vulnerabilities… I’m sure the system still has some holes in it because nothing can be fixed overnight, but the biggest, most alarming ones were at least closed,” said Jordan.

Daily Maverick sought comment from Carrim, who replied with a statement that admitted two major points: logged-in users could see all messages the system generated, including OTPs, and download them. The NSFAS Application Programming Interface included several critical endpoints that were insecure. The statement also admitted that you could make certain admin actions, such as withdrawing an appeal, confirming what Jordan said.

“NSFAS became aware of a potential security weakness and immediately activated its information security and incident management protocols. The matter was prioritised, investigated, and appropriate remedial actions were implemented without delay…NSFAS has strengthened access controls, reviewed system permissions, and enhanced monitoring across affected environments. Technical assessments and internal governance processes are also being applied to ensure the effectiveness of these measures,” read the statement.

However, there was no response to Daily Maverick’s questions about who was responsible for setting up the system, and whether they would be held accountable for the weaknesses.

Similar cases

This is not the first case of a government entity having flaws in its system. In 2024, two students from Stellenbosch University, Joel Cedras and Veer Gosai, exposed major security flaws and widespread fraud in the SA Social Security Agency Social Relief of Distress (SRD) grant system. Their findings led to a parliamentary investigation and highlighted systemic vulnerabilities.

Read more: Confirmed — Stellenbosch students’ fraud frailty warning on Sassa grant system

Cedras and Gosai found major problems in the system that included:

• A lack of rate limiting, allowing them to run queries through the system thousands of times a minute.
• No way to update an application once it was fraudulently made.
• A general lack of verification of details and biometric verification, allowing for “mass grant and identity fraud”, according to Gosai. DM