Between 16 and 28 October last year individuals presumed to be either employed by Postbank or by a Postbank contractor stole at least R89 459 330 in physical cash through SASSA accounts. The brazen fraud involved illicitly crediting grant beneficiary accounts with large sums and then emptying these accounts out at ATMs.
It is the second major security breach since the South African Post Office (SAPO) and its subsidiary Postbank took control of the bulk of the social grant system in 2018. In that year the Postbank “master key”, a digital encryption code safeguarding customer ATM pin codes and other encrypted means of accessing accounts, was stolen. Roughly R56-million was leached from Postbank accounts over the course of nearly two years leading to an instruction from the South African Reserve Bank that Postbank reissue a reported 12-million cards at enormous expense.
This time around the damage was far larger and far faster.
Approached for comment Postbank confirmed the theft but stressed that the money was not stolen from customers but rather from Postbank itself.
“Postbank wishes not to provide too much information about the modus operandi of the cybercrime fraud incident in order to protect the sensitive processes of the investigation that is currently underway,” Postbank acting chief executive Kevin Maartens said in response to questions.
The scheme was only accidentally discovered and quashed when a call-centre operator noticed a SASSA grant beneficiary account with a balance of just under R100 000 — highly anomalous for a grant recipient.
While the scam involved the use of cloned SASSA bank cards to withdraw funds, the cooperation of real grant recipients was seemingly necessary.
A report commissioned from Ankura Consulting Group to analyse the security breach noted that the perpetrators would have needed “a large-scale co-ordinated effort on the ‘outside’ to recruit beneficiaries willing to participate in allowing fraudulent activity to take place through their accounts”.
The Ankura report, dated 9 December, concluded that “the attack demonstrates high levels of sophistication on the part of the malicious actor, and a high degree of knowledge of the Postbank network, database structure and working practices”.
An external hack is possible in principle, but considered unlikely:
“Whilst it cannot be conclusively determined, due to the absence and deletion of log files that the incident was caused by an ‘Insider Threat’’ – an employee, unauthorised attacker with access to Postbank’s network and/or third-party supplier with the necessary knowledge of, and access to the Postbank Oracle databases and wider infrastructure — this does perhaps seem a more plausible explanation based on the data reviewed by Ankura.”
We’re a non-profit newsroom that exposes wrongdoing, empowering people to hold power to account. But we cannot do it without your support.
On 28 October, the day the scam was discovered, the guilty parties allegedly set about covering their digital tracks by creating “malicious unauthorised” user accounts with privileged access to Postbank’s systems. These were used to erase audit trails until discovered and disabled by Postbank on 4 November, according to Ankura.
Postbank is the main custodian of the social grant system, paying out more than R10-billion to roughly 8-million grant beneficiaries every month. A recipient of the old-age grant would, for example, normally receive the roughly R1 900 and withdraw the full amount. Finding tens of thousands of rands in a beneficiary account is a major red flag.
A “risk management report” produced by Maartens in December shows that a total of 279 accounts were used to fraudulently withdraw the funds.
“This Modus Operandi (MO) included only ATM transactions as the perpetrators tried to withdraw the funds as quick as possible. The loss could not be determined with 100% accuracy and final numbers are not fully verified yet. The number is not expected to change materially and the loss amounts to R 89,459,330,” reads the report.
“It is clear from the above that the exploitation of a substandard IT environment by attackers lead to a major loss,” Maartens concluded.
According to him “further processes of implementing additional security enhancing measures to make our environment more robust” are ongoing.
Who’s to know?
Earlier this month, the South African Post Office (SAPO) controversially presented its new turnaround strategy titled “The Post Office of Tomorrow” to the parliamentary portfolio committee on communications behind closed doors.
It is not clear whether the incident at Postbank, which is a subsidiary of SAPO but is currently being unbundled, was discussed at the meeting. In his report Maartens claims that all relevant authorities, including the SARB, were informed about the breach.
“The incident was reported the SARB as required by the Banks Act. A formal PRECCA report was also filed as required for losses above R100k…acknowledgement of the report was received from SARB,” he said in his internal report.
Approached for comment SARB however contradicted Maartens’ version.
“The South African Reserve Bank is not aware of any breach or compromise of the systems at the Post Office…Furthermore, the Prudential Authority (PA) does not supervise the Postbank SOC Limited as it is not a registered bank, in terms of the Banks Act. “
Postbank seemingly also kept the Department of Social Development, under which SASSA operates, in the dark.
“The Department received no formal communication on the incident, and no grant beneficiaries were affected,” the department’s spokesperson Lumka Oliphant told amaBhungane via text message.
Postbank however doubled down on its version.
“On the question regarding the reporting protocols that were deployed by Postbank, Postbank maintains that the cybercrime incident was reported to the relevant law enforcement agencies (SAPS) as well as the SARB and Postbank’s cybercrime insurance provider within the prescribed timeframe.”
No cover
The incident at Postbank has highlighted the vulnerability of state-owned entities to cybercrimes.
It has revealed that at least some are allegedly unable to procure insurance against losses from cyberattacks in the first place.
According to Maartens’ report, Postbank was able to claim R75-million from its insurer and another R5-million from its Cell Captive to counter the losses. This left a dead loss of R9,5-million plus expenses of over R2-million.
The more serious problem is that Postbank’s insurance against cybercrimes of any sort is now exhausted until 31 July 2023 – and it cannot get any additional insurance.
“The lack of cover is obviously a major concern for both SAPO and Postbank,” reads Maartens’ report.
In the process of looking for extra cover Postbank allegedly discovered that its peers, other state-owned entities, had the same problem.
“We requested the insurance broker to go out to the market to try and source additional cover for Postbank. The broker approached all the local underwriters for proposals or options. The response was very clear but very concerning. The majority of the insurers responded that they do not insure any SOE’s for Cybercrime as the risk posture and control environments are falling outside of their risk appetite.”
International insurers AIG and Marsh turned down Postbank’s business and this avenue “seems like a dead end”, said Maartens.
After failing to find insurance on its own, Postbank claims it turned to its peers among state-owned entities, asking who they insure with.
According to Maartens, Postbank approached the South African Revenue Service, the Industrial Development Corporation and the State Information Technology Agency.
“The response was clear, these SOE’s could not obtain cover from local insurers and they do not have any Cybercrime cover.”
If true, this would be particularly concerning considering the ransomware attack on Transnet in July last year that shut down parts of the country’s port infrastructure for a week.
The IDC however denies being unable to secure adequate cyber-attack insurance, saying that “claims about the IDC not being insured against losses from cyber-attacks is wholly inaccurate”.
In response to questions the state-owned financier responded:
“Like all finance institutions, the IDC is acutely aware of cyber security risks, has the appropriate cover and its embedded IT governance practices proactively deal with live threats of cyber-attacks. Due to risks associated with cybersecurity and material concerns we all have about it, the Corporation will not engage in hearsay nor respond to unfounded statements by unrelated third parties.”
SARS and SITA did not respond to questions.
In response to questions, Postbank seemed to backtrack somewhat:
“Postbank wishes to stress that the context of the information on cybercrime insurance within state-owned entities is the emphasis that Postbank has a different risk profile, and cybercrime insurance requirements, which are not necessarily comparable to the cyber insurance products that other state-owned entities currently utilize.”
“Regarding procuring additional cybercrime insurance and cybercrime insurance matters, Postbank is considering various options that do not exclude cell captive and/or self-assurance options following indications of a low market appetite of insurance for entities with our comparable risk profile and cybercrime insurance requirements.
“The market exploration for an additional cybercrime insurer is also continuing, and the bank is adequately insured for other risks other than cybercrime,” it said.