Breaches expose state info vulnerability


Government has named and shamed a score of individuals who used technology to steal R160 million from the state’s coffers.

This is amid concerns that among the institutions that were targeted are those, such as the South African Revenue Service (SARS), that hold acutely sensitive information about citizens.

The State IT Agency is working on putting more security in place to protect information, after the recent hack of the South African Police Services’ anonymous tip-off website, which saw the names and personal details of 16 000 whistle-blowers and victims of crime being mined from the police’s site and made publicly available via a bulletproof site.

Government has also finally unveiled an ambitious plan to roll out a government-wide ICT governance framework, with the first phase of a complicated process set to be complete at 150 national and provincial structures by the end of next March. Recent scathing AG reports have found a widespread lack of IT security and governance among government departments.

However, security breaches at state institutions cannot be solved through technology alone, and other processes need to be put into place, including proper weeding-out of public servants who try to find a way around the systems to enrich themselves.

Many convictions

At the weekend, Jeff Radebe, minister of justice and constitutional development, named and shamed 42 people who had been convicted, or are awaiting their day in court on charges of fraud and corruption. The release of the names was in line with the Justice, Crime, Prevention and Security Cluster’s commitment to deal with corruption.
“The fight against corruption remains one of the major priorities of government because in both the private and public sectors, corruption has a detrimental effect on government’s effort to deliver effective services to the people,” said Radebe.

The cluster’s Anti-Corruption Task Team (ACTT), established in 2010, has – for the 2012/13 financial year – recorded criminal investigations against 242 accused persons in 89 priority cases involving R5 million or more per incident, says Radebe.

In terms of the investigations against the 242 persons, further investigations are progressing against 193 accused; two people were acquitted and charges were withdrawn against 14 accused, while 42 people have already been convicted, says Radebe. The minister says other names from a long list of more than 3 000 convicted individuals will be released later.

The ACTT brings together work done by the National Prosecution Authority, Asset Forfeiture Unit, SARS, Hawks, Special Investigation Unit, Financial Intelligence Centre and National Treasury to fast-track investigations of high-priority and high-profile corruption cases.

System breaches

Among the incidents that Radebe released was one at SARS in which a syndicate gained access to its systems with the help of a staff member and a consultant. Access details were then used to change the banking details on SARS’ system, allowing the syndicate to divert money into its bank accounts, to the value of R77.7 million.

Five people were convicted on charges ranging from fraud, corruption and money laundering, and sentences of between five and 10 years behind bars were handed down, although some were suspended.

In addition, in the Post Bank hack, in which a syndicate obtained access details and then transferred a total amount of R42.7 million, three people have been convicted of fraud and sentenced to between 10 and 15 years, including one who was a call centre consultant. The case against another accused, Kabelo Kekana, is ongoing and is postponed for further investigation until 22 July.

At the Department of Minerals and Energy, in 2007 and 2008, employees obtained login details for the accounting system by installing keystroke logging software. The access details were then used to re-active the profiles of former staff members and nine sundry payments totalling R15 million were then made using these re-activated profiles.

A freezing order for R8.6 million of the payments was made and the matter is ongoing, with several accused in court currently on trial, although three private people, who formed part of the syndicate, were convicted.

At the Alfred Ndzo District Municipality, staff with access to the personnel management system created and made payments to ghost employees. Tenders in the municipality were awarded to employees or their relatives, and overpayments made.

A total or R28 million was defrauded and three employees were convicted of fraud and sentenced to a R20 000 fine or a year behind bars.

Open to abuse

Mark Walker, director of insights and verticals for the IDC’s Africa and Turkey region, says the breaches highlight vulnerabilities in government, which has information on citizens from cradle to the grave.

The AG’s 2011 report, of the 38 national departments audited, found 81% did not have full security management systems in place.

Who is not to say that others are not breaching systems in other ways and using information across departments to build databases on people and companies, questions Walker. He adds that access to government’s information about citizens can provide the criminal element with an entire view of someone’s life.

However, Walker points out that SARS does have to limit the information shared across departments. The breaches come down to a security issue, but hackers will always find a way around the system, he notes. “Anything can be retro-engineered.”

Technology can only go so far and armour systems to a point, says Walker. He says the ultimate solution lies in the proper vetting of staff and the first issue is that of human security.

Walker points out, however, that systems must be hardened, but this needs to be balanced with efficiency, as increased security slows down systems and processes. Technology is like a hammer, and can be used to break down or build up, he says.
“SA is very naïve in terms of how much weight it ascribes to information.”