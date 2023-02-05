The South African Broadcasting Corporation (SABC) is under investigation by the Information Regulator over a vulnerability that let attackers access peoples’ TV Licence accounts without their passwords.

This is according to an email chain between the Information Regulator and a complainant, which MyBroadband has seen. A reader sent the complaint to us after the regulator told the complainant they must prove their details were exposed.

“In your response, you responded by providing a link to an article, which does not show nor prove your allegation,” the Information Regulator wrote.

“The article only shows that there was a security compromise by the Responsible party which will be investigated by our compliance division.”

“We therefore request that you provide proof for your allegations and indicate what personal information was shared by the responsible party or failed to protect,” it added.

The complainant contacted the Information Regulator, concerned that their personal information may have gotten into the wrong hands through the vulnerability as they pay their TV licence fees on the portal annually.

MyBroadband contacted the Information Regulator to confirm its investigation into the SABC, but it had not answered our questions by publication.

On 20 July 2022, MyBroadband disclosed a security vulnerability that allowed malicious actors to log into peoples’ SABC PayNow accounts without knowing their passwords.

Once logged in, attackers could view the TV Licence holder’s outstanding bills, view and change any address details, and download an account statement.

After receiving a tip-off regarding the vulnerability, MyBroadband immediately informed the SABC. It didn’t take immediate action, leaving the vulnerable part of the website operational and accessible.

“The SABC is investigating this matter, as the security of its platforms and protection of its clients’ personal information is of utmost importance,” the SABC’s Head of Communications, Ndileka Cola, said at the time.

Toward the end of July 2022, the SABC finally took down its PayNow system. However, it did not say anything about the vulnerability.

“We are currently experiencing issues on PayNow. We apologise for the inconvenience,” a notice on the SABC’s TV licence page stated.

With PayNow offline, licence holders had to go to physical pay points to pay their TV Licence fees.

“Our range of physical pay points extends to banks, the Post Office, retailers, Easypay outlets, Pay At outlets, SABC Head Office and branches.”

It is unclear when SABC took its online TV licence payment service offline. The state-owned broadcaster did not provide any reason why the system was unavailable on its website and didn’t respond to our requests for comment.

After being unavailable for almost five months, the SABC’s TV Licence payment portal was back up and running in early December 2022.

However, the portal is no longer called PayNow, with the broadcaster changing its name to FAST Pay. Its functionality remains the same, allowing TV licence holders to view their accounts’ status and pay outstanding fees.

Several security flaws have been discovered in the SABC’s TV Licence portal over the years.

In February 2016, a MyBroadband reader noticed that the SABC’s payment gateway provider used an outdated encryption algorithm to secure sensitive credit card information.

In December 2020, the broadcaster warned about an ongoing defacement of its TV Licence web portal and advised customers not to leave their details on the website until it was resolved.

