Security1.11.2024

Hackers claim to have stolen R175 million after infiltrating SA banking system

Attackers declaring themselves to be the hacking group N4ughtySec, who previously targeted South Africa’s credit bureaus, say they have stolen over R175 million from the South African Social Security Agency (Sassa).

The group said they extracted the funds by creating over 100,000 new bank accounts, which they achieved by breaching credit bureau XDS, as well as further exploiting TransUnion and Experian.

“As promised, the N4aughtysecGroup has attacked government departments, the latest being Sassa,” they said.

“We have been hard at work rolling out our promises,” N4ughtySec continued.

“We have entered the systems of the credit bureaus. We successfully hacked and used the compromised data sets and backend systems to attack the South African government and local organizations.”

Although the group told MyBroadband that breaching XDS was a major component of its latest attack, it still took aim at TransUnion.

“We did warn TransUnion that failure to pay our ransom would result in ultimate destruction. We are deeply infiltrated into the governments and bank systems,” they said.

“We are releasing all the data of Sassa in the next 48 hours.”

A group calling themselves N4ughtySecTU first attacked TransUnion in March 2022, exfiltrating the data of 5 million consumers and exposing the ID numbers of a further 5.2 million people.

N4ughtySecTU demanded $15-million (R224 million at the time) in cryptocurrency to return the data.

TransUnion refused to pay, explaining that it would set a bad precedent and that there was no guarantee N4ughtySecTU wouldn’t post the data anyway.

The group released the data they had stolen online and disappeared.

N4aughtySecGroup emerged in 2023 demanding a $30-million (R530 million) ransom each from TransUnion and Experian or face having all their client data leaked.

The group said they never left South Africa and had retained constant access to TransUnion and Experian’s systems.

This same group is now back with an explosive claim — that they have exploited vulnerabilities in Sassa that have previously been reported and extracted money via the South African banking system.

“We cracked the Sassa systems using data and backend access from our hacks into Transunion, Experian, and XDS,” they said.

“We have infiltrated the banks and opened over 100,000 accounts and continue to do so.”

N4ughtySec expressed respect for the recent work by two Stellenbosch University computer science students, Joel Cedras and Veer Gosai, in uncovering massive fraud in Sassa’s systems.

“They are true heroes. They stand for what we fight for,” a N4ughtySec spokesperson told MyBroadband.

Grant beneficiaries sit in a long queue outside SASSA’s office in Bellville. Photo: Qaqamba Falithenjwa/GroundUp

Cedras and Veer published the findings of their investigation earlier this month, which revealed that fraudsters were essentially stealing people’s identities to apply for Social Relief of Distress (SRD) grants.

The criminals then use those same ID numbers to open bank accounts in people’s names and pocket the R370 per month.

To investigate the extent of the issue, the pair probed Sassa’s systems and found they could query its application programming interface (API) at a rate of 700 records per minute without being challenged.

This in itself was a problem, as it should not be possible to query the agency’s database like this without hitting a rate limit.

However, the security flaw allowed them to scrape the data for every ID number beginning with 0502 — that is, everyone born in February 2005.

Cedras and Veer found that nearly 75,000 SRD grant applications were made for people born in February 2005.

Statistics South Africa data shows there were 82,097 births in February 2005, which works out to an SRD application rate of about 91%.

While South Africa is experiencing a youth unemployment crisis, Stats SA reports a youth unemployment rate of 45.5% — nowhere near 90%.

Sassa grant admission head Brenton van Vrede confirmed to Heart FM that the organization’s grant systems had been compromised.

Van Vrede also said they noticed that three South African banks were not implementing the Financial Intelligence Centre Act (Fica) correctly, allowing fraudsters to open bank accounts with other citizens’ ID numbers.

N4ughtySec said they had exploited this security flaw for the past ten months.

MyBroadband contacted Cedras and Veer for their insights and they said it was entirely possible the group had been exploiting the system that long, as they had seen fraudulent grants dating back more than a year.

Interestingly, the group has not made any financial demands this time. Instead, they say they want an apology.

“We will not stop until we receive an apology, and for the institutions we have hacked to admit the security flaws and the data and systems we have accessed. We did warn them.”

Asked to prove their claims, the group provided recent financial records for two MyBroadband journalists.

In one case, a journalist’s home address was misspelt exactly the same way their bank had recently done it.

For the other journalist, N4ughtySec pulled data about their car insurance policy, which they had changed less than six months ago.

N4ughtySec named five banks whose systems they said they can access via the credit bureaus — Absa, FNB, Nedbank, Discovery, and Tymebank.

MyBroadband contacted all five banks for comment. Absa, FNB, and Nedbank said they are investigating.

TymeBank CEO Karl Westvig said after reviewing the information that was brought to their attention and cross-referencing against its records, there were clear discrepancies between the data provided and the customer data they have on record.

“We can therefore confirm TymeBank has not been hacked and that the data has not been taken from our systems,” it said.

“Our initial investigations indicate that the data is likely to have been obtained from another party that our customers may have engaged with separately.”

More generally, TymeBank said they have implemented numerous rules to identify fraudulent accounts and have multiple preventative measures to detect fraud and prevent potential syndicates from accessing these accounts.

“TymeBank takes the security of our data extremely seriously and we have world class processes and controls to mitigate the risks of data loss,” it said.

“We work closely with all industry bodies and government departments to mitigate fraud where possible.”

Discovery Bank said it has not been impacted by a breach or seen any suspicious activity.

“We have reached out to industry colleagues and at this time, there is no evidence or indication of a widescale security breach,” they said.

“In the normal course of business, Discovery Bank continuously reviews and monitors our security and fraud environment, as well as the transactional activities of clients for unusual behaviour,” it said.

“In addition, through our bank app and website, we regularly keep clients abreast with educational awareness material and messaging about fraud, security and scam trends and how to avoid them.”

TransUnion and XDS said they have not found recent evidence indicating a breach of their systems.

“While we are not aware of any such breach, please rest assured that we are actively investigating this matter and will continue to monitor our systems closely,” XDS said.

Following publication, Experian provided the following statement.

“We have seen no evidence to indicate Experian systems or data have been compromised,” it said.

“Data security has always been, and always will be, our highest priority. We constantly strive to provide secure systems and processes that reflect data security best practices to stay ahead of today’s increasingly sophisticated cyber criminals.”

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter