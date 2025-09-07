A draft report by auditor-general Tsakani Maluleke has exposed billions in ghost beneficiaries, questionable spending, and a collapse of critical services at the Department of Social Development.

The Sunday Times reports that Maluleke highlighted repeatedly flagged failures surrounding the weak IT and data systems at the South African Social Security Agency (Sassa) that have gone unaddressed.

According to the article, the draft report has not yet been published or presented to Parliament as it must still go through prescribed processes.

However, in it, the auditor-general noted unverified grant payments, misstated financial records, and unreliable performance reports.

The draft also reported that more than 73,000 “ghost beneficiaries” received grants without valid documentation.

It also cited scenarios in which duplicate and ineligible payments were made to deceased recipients, state employees, and company directors.

The auditor-general reportedly said delays have been experienced in finalising disciplinary processes and recovering the financial losses.

“The delays have been caused by the unavailability of implicated employees, their witnesses and representatives, resulting in postponements of hearings,” wrote Maluleke.

Department of Social Development officials are expected to answer to the findings before Parliament on Wednesday, 10 September 2025.

In October 2024, Joel Cedras and Veer Gosai, two computer science students at Stellenbosch University, uncovered massive fraud in Sassa’s Social Relief of Distress (SRD) grant.

The students found that their and their friends’ identities had been stolen to obtain R370 grants in their names and investigated further.

They found that a bank account had been registered in Cedras’ name, and that it had received the grant every month.

Fraudsters use unsuspecting citizens’ ID numbers to apply for the grant and receive the funds in bank accounts they set up using the same ID numbers.

“We had to call some banks, and eventually we found a bank account with my name, and they were receiving my R370 grant every month,” said Cedras.

Cedras and Gosai queried Sassa’s application programming interface (API) for people born in February 2005 at a rate of 700 records per minute to investigate the issue further.

Ignoring the fact that the system should enable queries at such speed, the pair found that nearly 75,000 SRD grant applications were made for people born in February 2005.

Based on Stats SA data, which reported that there were around 82,100 births that month, the grant application rate was around 91%.

“That’s a very high amount — that over 90% of people born in that month had an active Sassa application,” said Gosai.

The pair also surveyed 60 students they knew on campus, and found that 58 had active SRD applications, while only two said they had applied for the grant themselves.

Sassa grant admission head Brenton van Vrede admitted that the grants system had been breached in a subsequent interview, saying there were “quite a lot of these cases”.

R185 million allegedly stolen by N4aughtySec hacking group

Following Cedras and Gosai’s report, a hacking group called N4aughtySec contacted them and MyBroadband, claiming responsibility for $10 million (R185 million) of the fraudulent grant payments.

N4aughtySec said it had extracted the funds by creating more than 100,000 new bank accounts, which they managed by breaching credit bureaus operating in South Africa.

It later emerged that fraudsters had exploited weaknesses in several financial service providers’ systems to open new accounts. The companies identified have since addressed the flaws.

Another factor that enabled fraudsters to apply for the grants was access to a large supply of fraudulently registered cellphone numbers.

Cedras and Gosai found that a mobile virtual network operator (MVNO) had significant vulnerabilities in its online onboarding system.

They found that the MVNO allowed users to register as many free eSIMs as they wished without validating any of the proof of identity and address information needed for RICA processes.

They found that they could upload a mathematics assignment for proof of addition and a picture of the operator’s logo for the ID, and not have their eSIMs deactivated.

The MVNO disabled its online eSIM ordering functionality following reports about the vulnerability.

Postbank plundered

Prior to the SRD grant fraud, Postbank insiders helped criminal syndicates steal over R150 million that should have gone towards grant beneficiaries.

The Postbank was a major channel for grant payments, with over three million people relying on the institution to receive their welfare benefits every month.

Two years prior to these thefts, it was reported that the Postbank’s “master key” was stored in plaintext during a data centre migration in July 2018.

Two staff members stored the key in plaintext on USB flash drives, and one of the drives couldn’t be located.

The 36-digit master key reportedly lets anyone read and write account balances, and read and alter information on any of the cards the bank has issued.

Following the potential master key exposure, criminals siphoned around R56 million in 25,000 fraudulent transactions from Postbank accounts between March 2018 and December 2019.

The Post Office initially denied that its master key for Postbank’s cards was compromised, saying that the “stories” were unfounded and only sought to create panic among Postbank’s clients.

However, in January 2021, former social development minister Lindiwe Zulu told Parliament that government was in talks to replace all Sassa cards following the security breach.

Sassa gave notice of termination for its master service agreement with the Postbank last year. Its last day is at the end of September.

To address the losses and trend of fraudulent grant recipients, Sassa is implementing biometric verification, requiring “ghost recipients” to come and verify themselves to continue receiving the grant.