Serious flaws in SASSA system, MPs are told - again
Unclear why same investigators, with unclear qualifications for the job, have presented more or less the same obvious findings to Parliament a second time
An investigation into SASSA’s Social Relief of Distress (SRD) grant system has revealed significant security flaws which leave the online payment system vulnerable to cyberattacks and fraud. Photo: Marecia Damons
- An investigation into SASSA’s Social Relief of Distress (SRD) grant system has found significant security flaws making it vulnerable to fraud.
- The findings were presented to Parliament’s social development portfolio committee on Wednesday.
- Fraudulent websites mimicking SASSA’s official platform are stealing personal data from applicants, with victims already suffering from identity theft and financial fraud, the investigation found.
- Social Development Minister Nokuzola Tolashe promised stricter oversight and accountability.
Weak authentication policies, unprotected backup files and a lack of web security measures were among the many issues identified in an investigation into the R370-a-month Social Relief of Distress (SRD) grant system.
The investigation follows findings by two Stellenbosch University students, who discovered vulnerabilities in the payment system run by the South African Social Security Agency (SASSA) payment system. They found that large numbers of fraudulent SRD applications were being made using ID numbers of individuals who had recently turned 18.
Their research prompted Social Development Minister Nokuzola Tolashe to launch an inquiry. The investigation was done by Masegare & Associates Incorporated.
On Wednesday, Stanley Matshote presented the company’s findings to Parliament’s Portfolio Committee on Social Development. Matshote explained that they found significant security flaws in SASSA’s system.
This is the second time the company has presented to Parliament. We pointed out the last time that the investigation was superficial and expensive. It doesn’t address the fundamental problems in SASSA’s systems identified by the Stellenbosch students (see here and here).
The system was classified as a “medium” threat level, Matshote said. “While the system is not highly vulnerable, it is still susceptible to attacks that could compromise security if left unaddressed.”
Concerns flagged included weak authentication mechanisms – making it easier for hackers to gain access, unprotected backup files – increasing the risk of data leaks. Missing security headers – exposing user information to potential breaches, and server misconfigurations – allowing unauthorised access to sensitive internal data.
“Despite being classified as medium risk, there are significant threats that could potentially lead to unauthorised access, data breaches, service disruptions, or reputational damage if the vulnerabilities are exploited,” Matshote said.
It is unclear how Matshote reached the conclusion that the risk level is medium. MIT defines a system at high risk if “The loss of confidentiality, integrity, or availability of these information assets could reasonably be expected to result in serious harm to individuals or the Institute.” Numerous fraudulent SRD applications have been made by exploiting weaknesses in the system and a large number of them have succeeded, defrauding the government. This is the very essence of a high level of risk.
To mitigate these risks, he recommended that SASSA implement multi-factor authentication, stricter controls on grant applications, and regular security audits.
“Since the (malicious) site operates without SASSA’s approval, it may be violating data protection laws such as POPIA (Protection of Personal Information Act) in South Africa”, Matshote said.
The investigation also uncovered fraudulent websites mimicking SASSA’s official website, putting beneficiaries at risk of identity theft and financial fraud.
Matshote said these fake platforms harvest personal data from unsuspecting applicants, with some already falling victim to stolen identities. The sites — https://srd-sassa.org.za/ and https://srdsassagov.co.za/ — are not affiliated with SASSA but claim to provide accurate information about social grants. These sites collect personal data from applicants, Matshote told MPs.
“It is recommended that SASSA considers issuing an immediate public advisory warning beneficiaries about the unofficial (fake) sites. Authorities should also work with domain registrars and cybersecurity teams to shut down these unofficial (fraudulent) websites,” Matshote said.
He also recommended that SASSA link each applicant’s ID to a unique phone number to prevent multiple registrations, expand biometric verification to detect fraud more effectively and conduct regular testing to strengthen the system against cyber threats.
Acting SASSA CEO Themba Matlou acknowledged the vulnerabilities in their system but emphasised that steps were being taken to address them. “We’ve put in place risk mitigation processes,” Matlou said, adding that security updates were being implemented. “The system is secure. We’ve reconfigured the server after receiving the report, but obviously, there’s still work to be done,” Matlou told MPs.
Despite about R280,000 being spent on the investigation, MPs were concerned that it failed to adequately deal with the full extent of fraud, the number of victims affected, and how many grants had been wrongfully paid out.
Nhlanhla Gcwabaza (MK) said although fixing the system is crucial, the immediate impact on beneficiaries had not been fully addressed. “There are people who were supposed to get their grants but didn’t,” he said.
Paulnita Marais (EFF) questioned how beneficiaries could complete identity verification if they don’t have access to a smartphone. While Alexandra Abrahams (DA) raised concerns that SASSA had not set any deadlines to address some of the issues raised in the report.
Tolashe acknowledged the government’s failures in preventing these security breaches, promising more accountability moving forward. “We have no excuse. Not now, not tomorrow. Our people have gone through enough through non-commitment to strategic leadership,” she said.
Support independent journalism
Donate using Payfast
© 2025 GroundUp. This article is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
You may republish this article, so long as you credit the authors and GroundUp, and do not change the text. Please include a link back to the original article.
We put an invisible pixel in the article so that we can count traffic to republishers. All analytics tools are solely on our servers. We do not give our logs to any third party. Logs are deleted after two weeks. We do not use any IP address identifying information except to count regional traffic. We are solely interested in counting hits, not tracking users. If you republish, please do not delete the invisible pixel.