Big problem in South Africa’s financial system

Special exemptions from South Africa’s data privacy laws for credit bureaus have created a significant vulnerability in South Africa’s financial system.
This is the warning from Dominic White, Orange Cyberdefense South Africa managing director, who voiced his concerns after reports of massive fraud in South Africa’s Social Relief of Distress grant system.
A hacking group called N4aughtySecGroup claimed responsibility for at least R175 million of the money stolen and said they had infiltrated South Africa’s financial system through the credit bureaus.
“The National Credit Act allows anyone with which you have a payment, credit, or loan agreement to submit your information to a credit bureau without your consent,” White told MyBroadband.
“You can request the information and dispute it, but you cannot opt out of sharing or have it deleted.”
White pointed out how a TransUnion consumer profile purchased from a site like Lexis Windeed for R52 can contain up to four pages of personal information.
Potential buyers need only a surname, first name, and ID number to access a trove of information about someone, including their cellphone number, address, and contact number history in addition to credit information.
Some bureaus, such as Experian, require an institution to be registered with the South African Credit and Risk Reporting Agency to access these profiles. However, White said he is unsure whether this is meaningful protection.
He also noted that although platforms like Lexis Windeed facilitate the transaction, credit bureaus make money by selling lookup access to institutions.
However, it is not only credit bureaus selling information that is of concern, but the threat of data breaches of these institutions’ systems.
In 2020, Experian fell victim to a social engineering attack that saw the perpetrator gain access to the personal information of roughly 24 million South Africans.
The attacker posed as a properly credentialed Experian customer to gain access to the data. He was arrested and found guilty of fraud, but not before the data made its way onto the Internet.
Two years later, TransUnion’s systems were breached, and attackers accessed the data of several million South Africans and businesses.
A hacking group calling itself N4ughtySecTU claimed responsibility for the attack.
N4aughtySecGroup, whose affiliation to N4ughtySecTU is unclear, last year claimed that they had constant access to the two credit bureaus’ systems since these breaches — something both Experian and TransUnion deny.
A spokesperson for the hacking group told MyBroadband they could exploit the SRD grant system thanks to data they obtained from TransUnion, Experian, and XDS through leaks and breaches.
As proof, the group provided sensitive financial information about two MyBroadband journalists.
This included a specific spelling mistake in a residential address that one journalist’s bank made and details about a new vehicle insurance policy that the other had taken out in the past six months.
The attack on the grant system involved fraudulently registering thousands of R370 per month SRD grants.
This also required creating potentially thousands of new bank accounts and cellular phone numbers to receive OTPs to, which was enabled by weaknesses and the systems of several financial services providers and at least one mobile virtual network operator.

A barrage of breaches
In the same post, White pointed out that South Africa has suffered so many data breaches that there is a “fog of war blanketing the space such that any new breach has immediate deniability.”
The country has suffered breach after breach, ranging from businesses in the private sector to government institutions.
These attacks can also be expensive for victims. The average data breach cost is R49 million, placing the country 14th among those hardest hit by such attacks, according to Allianz’s cyber security report for 2024.
The most recent entity affected was Claim Expert, the company Pick n Pay used to offer its licence disc renewal service from January 2022 until mid-2023, which suffered a data breach that exposed the personal information of over 100,000 customers.
The leak contained names and surnames, ID numbers, cellphone numbers, and email addresses.
Word of a potential breach began circulating online after a ransomware gang called Bashe posted on its data leak site on the dark web that it planned to dump a database with 105,383 lines belonging to Pick n Pay.
It had given the South African retail giant until the morning of 14 January 2025 to pay up.
However, when the clock ran out, and Bashe released the data, it turned out that the database belonged to Claim Expert, not Pick n Pay.
A few days earlier, Cell C confirmed that the RansomHouse hacking group had claimed responsibility for breaching its systems.
The company disclosed that it was the victim of a cyberattack on Wednesday, 8 January 2025, that exposed the data of a limited number of people.
RansomHouse’s site on the dark web claims that they had breached Cell C’s systems in early November 2024 and exfiltrated 2TB of data.