Postbank loses over R18-million to cybercrime attacks
Most of the money stolen came from the SASSA beneficiary grant payment system, says CEO
- The Postbank says it lost over R18-million over three months in cybercrime attacks.
- Most incidents involved the accounts for social grant beneficiaries.
- A forensic audit was launched and the Hawks are investigating.
- Postbank says it will spend R400-million to upgrade its IT systems to counter similar attacks.
The South African Postbank is to spend R400-million over the next three years to upgrade and modernise its IT systems.
This follows the state-owned entity losing more than R18-million over a three-month period to cybercrime attacks.
On Tuesday, Postbank CEO Lucas Ndala told Parliament’s portfolio committee on communications that it had “a number of cyber fraud incidents – most of them relating to the SASSA beneficiary grant payment system”.
Ndala said the Postbank IT system had been flagged by the Auditor General for having “control weaknesses”.
“There has been a concerted effort to address these system deficiencies since the grant system was ceded to Postbank in 2021. A lot of these weaknesses come from the system itself because it came with a number of flaws that needed to be addressed over time,” Ndala said.
In response to DA MP Dianne Kohler Barnard on the total cost of the IT update, Ndala said, “The total cost approved is just around R400-million. This will be funded from Postbank resources. The modernisation will be over a three-year period.”
He said the accounts of 141 grant beneficiaries were hit in a cyber attack in August. The state-owned entity lost R5.8-million in this incident.
The second incident happened in September, also involving accounts receiving social grants on behalf of children. Ndala said the Postbank’s Fraud Risk Team discovered that some of these accounts were fraudulent, and, as a preventative measure, these were blocked.
However, “the blocking was not done properly,” said Ndala. “Anyone could unblock them within our branch network,” he said. Postbank lost about R4-million in this incident.
In October 2022, Ndala said the Postbank banking system suffered another cybercrime attack and lost about R9-million.
Earlier this year it was revealed that the Postbank had suffered a loss of at least R90-million in cybercrime attacks in October 2021.
Ndala told MPs that Postbank is on the same IT network as the South African Post Office (SAPO). One of the requirements when Postbank applied for a banking licence from the SA Reserve Bank, was that it needed its own “stand-alone IT environment that cannot be impacted by the risks from SAPO”.
Ndala said the report on a forensic audit into the recent cybercrime incidents is expected to be released in December, while the second part of the report is expected in February 2023.
Nonkqubela Jordan-Dyani, acting Director-General in the Department of Communications and Digital Technology, said: “There needs to be consequence management because these are public funds and funds that belong to Postbank. We need to make sure that all those responsible are held accountable.”
“The Hawks will guide us in their process, and from our side, we are intending that the report will be tabled to the Cabinet,” said Jordan-Dyani.
Postbank did not respond to questions on whether payments to social grant beneficiaries were affected or how it had covered the losses.
Letters
Dear Editor
I don't believe Postbank! They posted a letter of apology and encourage grant beneficiaries to use retail outlets to draw their money because if you go to an ATM it won't work (Postbank abruptly suspended grant withdrawals at ATMs after incidents of fraud - editor). If you go to a retail outlet and ask for either your balance or cashback, the balance comes back as zero as if you already received the money!
I went to SASSA. They sent me to the post office, who acknowledged the problem and said to try again the next day. Nothing changed. Then I called Postbank's toll-free number and was lucky enough to get through twice: the first operator asked for my ID number and said to try again after 12pm and call back if necessary. I did - there was no change. I called again. This operator took my card number and said she sent an email that I must check on Friday! But no email. I tried phoning again but got told "the number you have dialled is out of service".
Where is the money that has been deducted from beneficiary grants by Postbank? When will it reflect in our accounts so that we can feed our children?
© 2022 GroundUp. This article is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
You may republish this article, so long as you credit the authors and GroundUp, and do not change the text. Please include a link back to the original article.
We put an invisible pixel in the article so that we can count traffic to republishers. All analytics tools are solely on our servers. We do not give our logs to any third party. Logs are deleted after two weeks. We do not use any IP address identifying information except to count regional traffic. We are solely interested in counting hits, not tracking users. If you republish, please do not delete the invisible pixel.