Postbank “hack” — insiders stole R89 million

Post Office subsidiary Postbank was hit by cybercrime fraud resulting in the theft of R89.46 million in social grant funding, allegedly involving its own workers or contractors.
The security breach was uncovered by the amaBhunghane Centre for Investigative Journalism and published on News24 and Daily Maverick.
Between 16 and 28 October 2021, the perpetrators made off with at least R89,459,330 in cash fraudulently transferred to 279 Sassa accounts and withdrawn at ATMs using cloned cards.
The discovery of the fraud was coincidental, with a call centre operator flagging a Sassa beneficiary account they noticed had an unusually high balance of just under R100,000.
Following the discovery, Postbank commissioned Ankura Consulting Group to analyse the breach.
Its report on the incident found that the people involved were likely Postbank workers or a Postbank contractor, with a “high degree of knowledge of the Postbank network, database structure and working practices”.
The perpetrators had also deleted log files linked to the incident.
This suggested an employee, an unauthorised attacker with access to Postbank’s network, or a third-party supplier with the necessary knowledge of and access to the Postbank Oracle databases and wider infrastructure, were to blame.
In addition, it would require the large-scale cooperation of beneficiaries willing to participate in allowing fraudulent activity to take place through their accounts.
Acting CEO Kevin Maartens previously told Parliament it reported the incident to the police and the South African Reserve Bank (SARB). A formal Precca report was also filed.
In a statement subsequent to Amabhungane’s report, Maartens categorically disputed that the incident was kept under wraps.
“There was never such attempt to hide the incident since Postbank reported the matter as required,” Maartens said.
“Because an investigation was instituted once the incident was detected, Postbank acted cautiously on the span of the incident’s reporting so as to not compromise the integrity of the investigation.”
He also denied claims that the incident was detected by accident.
“The cybercrime attack incident was detected through Postbank’s internal control mechanisms within the accounts management section as part of the daily operations procedures,” Maartens said.
“In point of fact, should the accounts management controls missed picking up the incident for whatsoever other reason the incident would have been flagged through other control mechanisms in the security processes.”
Maartens told MyBroadband that the attack exploited Sapo’s network that Postbank utilises.
He added that PostBank was awaiting approval from the communications ministry to enhance its IT infrastructure.
He stressed the money stolen was taken from the Postbank and not the beneficiaries themselves.
To counter the losses, Postbank recovered R75 million through its insurer and R5 million from Cell Captive.
Not the first time
This is the second incident where the Post Office suffered a major security breach since it took over the payment of Sassa grants from Cash Paymaster Services in 2018.
In its first year of providing the service, Postbank’s master key was stolen, exposing beneficiaries’ ATM PINs and other means of encryption within the system.
That came after the 36-digit encryption key was printed in plain language at the Postbank’s previous data centre in the Pretoria CBD.
Consequently, over two years, around R56 million was siphoned in 25,000 fraudulent transactions from Postbank accounts.
The Post Office initially refuted reports of the incident as “unfounded” that sought to create panic among Postbank’s clients.
However, SARB eventually ordered the Postbank to reissue 12 million cards at a reported cost of about R1 billion, signalling that the reports were accurate.
The supposed involvement of insiders working at the Post Office or Postbank is also nothing new.
In 2020, Minister of Social Development Lindiwe Zulu revealed that more than 1,700 Post Office workers received social grants for which they did not qualify.
That resulted in the South African Social Security Agency (Sassa) losing around R1.5 million a month.
At the time, the minister said while standard practice at Sassa did not allow for such occurrences, the agency may “under exceptional circumstances” end up paying people who did not qualify for the grants due to misrepresentation from grant applicants.
The Post Office has also been targeted in several robberies which saw Sassa cards and computers stolen.