The Pretoria High Court recently heard that an Auditor General report on the old and new National Traffic Systems questioned whether the system had adequate security in place. It also emerged that the department had done nothing after being warned about the security breach.
The Auditor General’s report, revealed in court, says that any official in the department of transport with access to a terminal has been able to access and change files, possibly compromising the database. The court heard that this problem has existed for years on the old National Traffic Information System (Natis) and had migrated to the new electronic National Traffic Information System (eNatis), but that this breach was only discovered in the recent Auditor General report, which was completed in February.
The security concerns came to light during a hearing of an application from the Director General of Transport, Mpumi Mpofu, to prevent Beeld newspaper from publishing the Auditor General’s report on security problems related to the two systems. Judge Dion Basson dismissed the director general’s application.
eNatis replaced Natis in April, but its implementation has been plagued by inefficiency and delays.
The system is designed to register and license motor vehicles and manage applications for drivers’ and learners’ licences. It also monitors traffic in South Africa, and contains information on motor vehicle registrations, the state of infrastructure, drivers, contraventions, accidents and financial records.
Advocate Sias Reynecke argued for Beeld that the Auditor General’s report revealed insufficient protection for passwords and that users at eNatis terminals could easily access different folders. He argued that it was in the public’s interest to be aware of these problems.
In arguments it emerged that department of transport users of Natis and eNatis had been granted “powerful authority” to access files on the network and that users had access to sensitive “root files”. The old system also did not require passwords for access, a problem which has apparently not been addressed in the new system.
Reynecke argued that the fault did not lie with the system itself, but rather with the department’s management. He said passwords were not administered adequately and that “security patches” were not installed when needed.
But the department argued that revealing “confidential” information, including about the password problems, could have a negative impact on the functioning of eNatis. The department’s advocate, Pat Ellis, argued that it was in the public interest not to have the security problems exposed in detail in the public domain.
“Heaven forbid car theft syndicates use the information to break into the system to cover up their crimes,” he said.
Ellis compared the department’s concerns about publicising eNatis’s security problems to a situation in which a prison’s secret codes and keys were leaked to the public, which he said would have a detrimental impact on the prison’s security operations.
But Reynecke hit back, asking whether the argument would hold water if the Auditor General had told the prison that the wardens were not locking the cell doors, and the prison then ignored it.
“The press then reports on this after the department had ignored the warnings. Now the prison wants to gag the press, because they say the inmates will be told their cells are unlocked,” he said. “This is after prisoners have already escaped.”
Ellis also argued that the problems the Auditor General reported on had to do with the old system and not eNatis and that a new audit report had to be done to investigate eNatis itself.
Reynecke rejected this argument, asking why the department was then trying to gag Beeld. “The director general wants to protect herself against people’s criticism of poor governance,” he said.
Department of transport spokesperson Collen Msbi told the Mail & Guardian after the verdict that the judgement “was a minor setback”. “We are studying the judgment and will make a decision on what to do next,” he said. “We still believe that this matter is confidential and not fit for the public domain.”
He said the department would not be responding to any questions that will compromise the “security” of the report. Mpofu, who was also present at the hearing, did not respond, except to say she believed eNatis was safe.