The system is offline — Government pension fund goes silent after data breach

The Government Employees Pension Fund’s (GEPF) systems are still down following a data breach from the LockBit ransomware group in mid-February 2024.

As a result, government employees cannot log into the GEPF website or its smartphone app, leaving them in the dark about the latest value of their pensions.

Several readers have informed MyBroadband of the issues experienced when attempting to access the system in recent weeks.

“We are still not able to log into the GEPF website and the cell phone apps. If you phone them [GEPF], they won’t give pension statements. They don’t even reply to emails regarding statements,” one reader said.

“No government employee is able to see what their pension is sitting at.”

We asked the GEPF for an update on the extensive downtime but it had not answered our questions by the time of publication.

MyBroadband first reported on a security breach at the GEPF in February 2024 after the entity informed the public of an unauthorised attempt to access its systems.

The GEPF said its administrator — the Government Pensions Administration Agency (GPAA) — had shut down its systems to mitigate the breach.

“There was no outage. The systems were shut down by our administrator (GPAA) as a security measure due to an attempt to gain unauthorised access to our systems,” it said.

“It is important to note that this system shutdown did not compromise our data nor affect payments to be made to pensioners.”

LockBit’s listing of the GPAA data file on its website.

However, it was later revealed that the breach was, in fact, a ransomware attack from the notorious LockBit group.

In mid-March 2024, the group dumped 668GB of data on the dark web, allegedly stolen from the GEPF’s systems.

The GEPF described the data breach as “extremely concerning”, considering the GPAA told it no data breach had occurred.

A file sample showed that the data featured scans of at least one senior government official’s passport.

The LockBit ransomware group had set a deadline of 11 March 2024 for the GPAA to pay its extortion demand or face having its data released on the dark web.

The GEPF said that following LockBit’s publication of the data on 11 March, the GPAA admitted that its systems had been compromised.

The latest update from the GEPF — a press release published on 12 March 2024 — said the GPAA was investigating the data breach and whether it impacted the GEPF.

“The GEPF is engaging with the GPAA and its oversight authority, the National Treasury to establish the veracity and impact of the reported data breach and will provide a further update in due course,” it said.

Cyber threats over time in South Africa: 2021 to 2023. Chart supplied by Orange Cyberdefense.

It has been more than a month since that statement and the GEPF has not provided any further updates.

Following the revelation that LockBit was behind the breach, MyBroadband spoke to lead security researcher at Orange Cyberdefense, Diana Selck-Paulsson, about the ransomware group.

Selck-Paulsson said LockBit has operating for roughly four years and hasn’t fallen to several efforts to disrupt it.

In February 2024, law enforcement agencies seized control of LockBit’s websites on the dark web. Despite this, further attacks with LockBit ransomware have been reported since.

Selck-Paulsson explained that Africa is becoming a significant target for cybercriminals and that groups like LockBit are often opportunistic about how to target victims.

“This is determined by the victim variables which could be vulnerabilities, incorrect cyber security practices, and factors such as the value stolen assets have to the victim and how much of an opportunity it provides threat actors to extort a victim organisation based on it,” she said.

“LockBit has been the top threat actor victimising organisations in South Africa since 2020.”

Latest news

Partner Content

Show comments


Share this article
The system is offline — Government pension fund goes silent after data breach