Startling revelation in data breach exposing personal data of every South African government employee

The Government Employees Pension Fund (GEPF) says the data leak from LockBit is “extremely concerning” as its administrator — the Government Pensions Administration Agency (GPAA) — told it that no data breach had occurred.

The LockBit ransomware group added the GEPF to its list of victims and released a 668GB file allegedly containing data stolen from the GEPF’s systems.

A sample of the data showed that the data included scans of at least one senior government official’s passport.

“The GEPF is extremely concerned with this alleged security breach, as it was informed by GPAA that no data breach had occurred when it was notified of an attempt to gain access to GPAA systems by unknown individuals on 16 February 2024,” it said in a statement.

“The GPAA subsequently established that this was an attempt by the ransomware group LockBit.”

The GEPF said that following the release of GPAA data by LockBit on 11 March, the GPAA acknowledged that certain GPAA systems were compromised.

It is investigating the data breach and whether it impacts the GEPF.

“The GEPF is engaging with the GPAA and its oversight authority, the National Treasury to establish the veracity and impact of the reported data breach and will provide a further update in due course,” the GEPF added.

LockBit is a cybercriminal group that sells ransomware as a service (RaaS) software that threat actors can buy to carry out attacks, and it appears as though the GPAA refused to pay the ransom.

It set a deadline of 11 March 2024 for the GPAA to pay its extortion demand, at which point it released the data when its demands were not met.

MyBroadband spoke to Diana Selck-Paulsson, lead security researcher at Orange Cyberdefense, who explained what LockBit does and gave a brief history of the group.

Cyber threats over time in South Africa: 2020 to 2023. Chart supplied by Orange Cyberdefense.

She said the group has been active for around four years, and despite efforts to disrupt it, it has been resilient.

Most recently, in February 2024, law enforcement agencies seized control of LockBit dark web sites. However, further attacks with LockBit ransomware have been reported since, according to Bleeping Computer.

Selck-Paulsson explained that Africa as a region has shown the third-highest growth in cyber attacks globally over the past year, with an increase of 70% over the twelve months prior.

She said groups like LockBit are often opportunistic in how they target victims.

“This is determined by the victim variables which could be vulnerabilities, incorrect cyber security practices, and factors such as the value stolen assets have to the victim and how much of an opportunity it provides threat actors to extort a victim organisation based on it,” said Selck-Paulsson.

Looking at South Africa specifically, Selck-Paulsson says Orange Cyberdefense has seen a significant increase in incidents in the past year.

However, she noted that these cybersecurity incidents occur in smaller numbers than in other regions it monitors.

“LockBit has been the top threat actor victimising organisations in South Africa since 2020,” Selck-Paulsson added.

LockBit doesn’t appear to favour any industry as its victims in South Africa.

Selck-Paulsson shared an infographic showing that it has targeted seven different South African sectors in the past, including the education, manufacturing, retail, and finance industries.

The infographic is shown below.

Targets of threat actors in South Africa. Infographic supplied by Orange Cyberdefense.

Latest news

Partner Content

Show comments


Share this article
Startling revelation in data breach exposing personal data of every South African government employee