The province has fallen prey to cyber criminals before, but failed to improve its security.
Despite being the victim of several cyber attacks which has cost it millions over several years, the Mpumalanga government has failed to improve its security.
Following a cyber attack by hackers on the Mpumalanga education department, the province says it intends to implement improved security for all its systems – but has yet to do so.
A total of R5.5 million was stolen from the department’s Nedbank account after unauthorised access was gained to the basic accounting system (BAS).
The department notes it has not introduced intrusion detection systems, and its virus detection software and firewalls are also insufficient. Previous attacks had occurred and there had been cases of unauthorised entry and virus attacks, the province says.
The office of the premier admitted the provincial government needs to do more, but said no plans are in place to improve security.
“We need to strengthen our financial management and control systems in the administration to ensure government resources are efficiently utilised to advance development and service delivery. We need to enhance accountability, for
performance and results,” says Mpumalanga premier David Mabuza.
Results of the forensic investigation on the attacks revealed that payments were made to 11 individuals and companies after banking details were changed on the BAS.
Payments were made to several accounts totalling R7 056 317 million. The report revealed that R1 543 345 was saved following a court order to freeze the province’s accounts. The remaining R5 512 972 had already “disappeared”, the report states.
Not first time
An internal audit in 2008 revealed a syndicate had been using advanced spyware to commit cyber crimes in KwaZulu-Natal, Mpumalanga, Limpopo and the Eastern Cape. Affected departments in all provinces included education, agriculture and transport.
Over 27 cases were identified where a syndicate had defrauded the four provinces of more than R199 million over a three-year period.
While KwaZulu-Natal and Limpopo introduced improved security measures as a result, Mabuza promised his province would set up methods to curb cyber crime but has yet to introduce any measures.
The implementation of the BAS started in October 2000 and the system went live in April 2001. The financial system also interfaces with the personnel and salary administration system.
At the time, the province stated the system would help it meet its legislative requirements, saying: “This is part of what we need to do to enhance the integrity of government, to improve the overall security management of the provincial government, including the management of government information in line with legislative requirements.”
The department added it would need a “sophisticated intrusion detection system” to deny access to unauthorised users and prevent fraud – but announced no plans.