Business for SA has uncovered an urgent security flaw in the Unemployment Insurance Fund’s (UIF) Temporary Employer/Employee Relief Scheme (TERS) application system.
“A number of employer applicants have detected serious security breaches in the system, with some data being accessible by other applicants,” Business for SA said.
Business for SA said it has asked the UIF Commissioner to take down the website while it repairs the issue, and has advised employers not to make any further applications.
“The UIF site opened for TERS applications for June on Wednesday (24 June) morning,” Business for SA told MyBroadband.
“We realized there was a problem soon after 13:00, when a few businesses that were attempting to lodge claims on behalf of their employees notified us they were seeing details of other firms’ applications. We then issued the warning.”
Business for SA said it had not seen this issue before the opening of applications for June.
“One example seen on a screenshot from one applicant was a list of employees of another firm, including names, periods of service, ID numbers, email addresses,” said Business for SA.
“We contacted the UIF Commissioner, as the communique says. Unfortunately, when they put it up the next day, the problem repeated,” it added.
UIF must fix its system – Scopa
On Friday, Parliament’s Standing Committee on Public Accounts (Scopa) told the UIF to fix the shortcomings in its system.
“The shortcomings of the system have made the UIF vulnerable to fraud and corruption from employees and employers who have made false claims amounting to millions of rands,” said Scopa in a press release.
Scopa has asked the UIF to submit a detailed plan on its migration to a better system that will stop such a situation from happening in the future.
It also asked the UIF to submit a detailed report on 16 cases in which there were overpayments and erroneous payments into bank accounts.
“The committee hopes that all those that are found to be involved in the fraudulent payments will face consequences,” said Scopa.
Scopa said it is aware that the Hawks are investigating a R5.7-million payment into an incorrect bank account.
“Scopa has asked the UIF to submit a detailed report on this issue that it can use as a briefing note by Wednesday 1 July 2020,” said Scopa.
It also said that while it welcomes the payment of over R25 billion to four million workers, it is also concerned over administrative delays in the processing of some of these payments – which has left nearly a million employees without their money.
TERS website issues
While Business for SA was not aware of the issue existing in previous months, MyBroadband recently reported on another data leak that the UIF fixed last month.
This leak allowed anyone to obtain the UIF reference numbers of employers who had been paid out, and look up how much they had been paid.
These reference numbers were published on a website hosted under the Department of Employment and Labour’s domain.
After the issue was reported to the UIF, the reference numbers were removed from the downloadable list.
With these reference numbers, an attacker could go to the “My Payment Status” page and query the reference number.
While this page now features a Captcha, it did not have one until the matter was raised with the UIF.
Before this was implemented, it would have been easy for a malicious party to write a script that could extract the amounts paid and processing dates for each of the UIF reference numbers.
MyBroadband contacted the UIF for comment on this security flaw, but it did not respond by the time of publication.