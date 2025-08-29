National Student Financial Aid Scheme (NSFAS) board chair Karen Stander has admitted that the entity’s ageing ICT systems are vulnerable and could expose private student information if infiltrated.

In a statement, Stander said the organisation will assess its ICT systems and develop a digital transformation strategy, among other interventions, to strengthen its long-term sustainability.

“The organisation’s ICT systems are misaligned with business requirements and lack integration, exposing severe security risks given the NSFAS’s size and scope,” she said.

This is particularly concerning, considering that NSFAS handles billions in taxpayer rands and holds a vast amount of private information from students.

This comes after former special administrator Freeman Nomvalo warned about the system’s challenges in August 2024. Nomvalo oversaw the scheme in the absence of a CEO and board of directors.

While speaking about problems with making payments to private accommodation and resolving student appeals, he said the organisation’s ICT systems were not up to scratch.

“The vulnerability to cyberattacks and the issues of data security are very worrying,” Nomvalo told Parliament’s Portfolio Committee on Higher Education and Training.

“Some of the things we are picking up in this regard are that it’s quite possible that information relating to students could be vulnerable to abuse.”

The Portfolio Committee issued a statement following the NSFAS’s presentation, recommending that it strengthen its ICT infrastructure.

“The committee recommends that NSFAS needs to ensure that it strengthens its ICT systems as a matter of urgency to curb student data falling into the wrong hands,” it said.

Portfolio Committee chair Tebogo Letsie added that the Department of Higher Education and Training must conduct a forensic investigation into the funding the NSFAS was given to improve its ICT systems.

“National Treasury funds were given to NSFAS to improve the ICT systems that were never improved,” he said.

“Should the forensic investigation show that money was siphoned from the entity, then people must be charged criminally.”

Government departments and agencies under attack in South Africa

In the past five years, no fewer than ten South African government departments and related state entities have fallen victim to cyberattacks, sometimes resulting from a lack of properly secured systems.

A European Repository of Cyber Incidents (EuRepoC) study found that South Africa was the second most targeted African country in terms of attacks against political actors.

It identified 21 major cyberattacks in South Africa over the past two decades. However, there have been far more than that. EuRepoC only counts incidents that meet certain criteria.

Incidents must violate the CIA information security triad, meaning the system’s confidentiality, integrity, or availability must have been impacted.

To be included, incidents must also be publicly reported, have a political dimension, or be against critical state infrastructure.

Minister in the Presidency Khumbudzo Ntshaveni recently acknowledged that South Africa had seen an increase in cybercrime and cyberattacks. She said ransomware attacks are the most prevalent threat.

The minister said these activities are affecting both government and private entities, and said the State Security Agency was aware of the constant threat and was working to mitigate against cyberattacks.

Attacks on government infrastructure are particularly concerning. The Communication Risk Centre’s Telecommunications Sector Report for 2025 revealed that government infrastructure faces 3,312 attacks weekly.

The table below summarises the major cyberattacks suffered by South African government entities over the past few years.