Security13.01.2025

Matric marks data leak exposed

Two university computer science students have exposed a data leak that has allowed a company called Edumarks to offer the matric class of 2024 early access to their final results for R100 per report.

Despite the results being embargoed until midnight on 14 January 2025, Edumarks has been sending out reports since Saturday, 11 January.

Kirav Doolabh from Wits and Veer Gosai from Stellenbosch University published the findings of their investigation on GroundUp on Monday.

This is not the first time Gosai has been involved in a major information security investigation. Last year, he and fellow Stellenbosch student Joel Cedras exposed massive fraud in the R370 Social Relief of Distress grant system.

Basic Education Minister Siviwe Gwarube confirmed on Monday morning that her department had launched an investigation into a potential breach.

“We are investigating at the Department of Basic Education (DBE) whether or not our processes have been subject to a breach,” said Gwarube.

“If the process comes from our side, then we will deal with it. If it is any of our people, we will deal with it,” she assured.

“If the breach has come from the act of sharing the results with certain stakeholders, which we need to do for seamless distribution of the results, then we will deal with that.”

Gwarube said if they find that they have been victims of cybercrime, they will deal with it through State Security and The Hawks.

Departmental spokesperson Elijah Mhlanga has since confirmed that they have opened a criminal case, and the Hawks are investigating it.

While Gwarube said they haven’t yet pinpointed the source of the leak or breach, Doolabh and Gosai said they had narrowed it to Universities South Africa (USAf).

USAf, formerly known as Higher Education South Africa, is a membership organisation representing all 26 of South Africa’s public universities.

Unfortunately, that means any university could have been the leak after the marks were sent to USAf.

Siviwe Gwarube, Minister of Basic Education

Doolabh and Gosai’s investigation began when they discovered a service called Edumarks that promised to deliver matriculants’ results up to a week before they were officially released for R100.

With GroundUp, they asked the DBE in December to investigate the legitimacy of Edumarks. After extensive scrutiny, the department came back with its response.

“Edumarks is a bogus business offering a service it cannot deliver on,” the DBE stated.

It said that if Edumarks’ claims were true, then “they are committing fraud on multiple levels” by colluding with individuals who have unauthorised access to matric marks databases.

Doolabh and Gosai then tested the service to see if it worked. They began with a matric student from the class of 2023 and received accurate results from Edumarks.

However, they also determined that the results were from January 2024 and did not reflect final updates after remarks, which are typically released in March.

Therefore, Edumarks appears to be using results from the original matric mark database sent out in January.

The pair then bought the marks of a matric from the class of 2024, which Edumarks emailed at 16:06 on 11 January 2025.

They contacted the education department, which confirmed the results were authentic.

“At the time, the department clarified that only Universities South Africa had received the marks to distribute to the country’s public and private institutions,” they reported.

Media only receive the matric marks on the evening of 13 January 2025, the DBE said.

The marks were sent to USAf on 11 January 2025 at 13:10, which led Doolabh and Gosai to conclude that it or one of its member universities was the source of the leak.

“We’re doing what our government is struggling to do. Instead of using taxpayers’ money to build a system that’s POPI compliant, they’d rather waste it on a rather pointless legal battle,” Edumarks stated on social media.

“Imagine how we felt when we tried to reach out to them to build them a better, more efficient, and POPI-compliant system, and they ignored us,” it said.

“The matric results should be free. However, we charge this once-off fee for development costs.”

MyBroadband contacted Edumarks and its registered director, Hafil Dawood, for comment. They did not respond by publication.

Dawood wrote to the Daily News in August 2024, saying he started the service to streamline the retrieval of matric results for learners.

“Although we are a small group, we are eager to collaborate with the DBE to explore more efficient methods for accessing matric results,” he said at the time.

While the Edumarks website was initially up and running on Monday morning, it appears to have been taken down.

Its URL no longer resolves, but the shared Afrihost server it was hosted on still appears to be online.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter