Cyberattacks: Government pension fund members can’t access some services months later

Pensioners and members of the Government Employees Pension Fund (GEPF) can't access the fund's self-service portal and app months after cybersecurity breaches. 

The security breach occurred at the GEPF administrator, Government Pension Administration Agency (GPAA), in February and March this year.

Earlier this month, the fund sent out a notice advising its members that its self-service portal and app remain offline due to the breaches.

"The GPAA has determined a complete rebuild of these platforms is necessary to ensure a more robust platform," the notice read.

"The GPAA anticipates these platforms will be operational by June 21. Members and pensioners are requested to visit GEPF offices or call the call centre on 0800-117-669 for any pension-related enquiries until the systems are fully restored."

GEPF spokesperson Matau Molapo said the biggest impact on the fund was the GPAA's inability to assist members and pensioners with pension enquiries and processing of claims after systems were subsequently taken down. This was done as a precautionary measure after the cyberattack.

"Most of the services taken down are back online. However, there is a backlog of claims that need to be processed and paid  which the GPAA is addressing," she said. 

The GEPF was not aware or made aware of any report or complaint about identity theft due to a cyberattack, she said.

"With regards to the data stolen, based on preliminary investigations undertaken on the cyberattack, it indicates that certain data subjects’ information was compromised. The GEPF and GPAA have reported the data breach to the information regulator in terms of the law."

Molapo said other systems affected by the breach were back online, except self-service and the app. She said self-service being offline inconvenienced their members, but stressed it is important to rebuild the platform to ensure it is safe and secure.

She said the GEPF is working with external security and system specialists to:

• ensure they secure their systems from further cyberattacks;
• determine the extent of the compromise; and
• put new, advanced security measures in place to ensure their systems are safe and secure.

"The team has achieved the first two steps and they are on the last step."

Cybersecurity incidents in South Africa

Experts believe there has been a significant rise in cyberattacks, including ransomware, denial of services and engineering attacks. 

A senior lecturer at the Wits School of Business Sciences, Thembekile Mayayise, said the  attacks impact the public and private sectors. 

"The use of artificial intelligence and other tools to carry out the attacks suggests we can expect an increase in their frequency in the future. The consequences of such breaches are reputational damage and financial losses as time and financial resources are often required to recover," said Mayayise.

She said the attacks negatively impact government’s ability to deliver services to citizens. She believes there is a room for improvement in preventing and mitigating cybersecurity risks to ensure sufficient protection of information and organisational systems.

She said organisations should begin prioritising cybersecurity and ensure confidentiality, integrity and privacy of information is preserved.

She many entities when hit by cyberattacks take long to recover, and this is often due to a lack of necessary skills and disaster recovery plans which have been regularly tested to ensure the recoverability of data and systems in the event of a disaster or security breach.

"In other departments, there are no dedicated persons responsible for cybersecurity and this creates a gap in ensuring that relevant cybersecurity measures are implemented and monitored," she said. 

Prof Elmarie Biermann from the Cyber Security Institute reiterated Mayayise's view that cyber-breaches are increasing in South Africa as this crime continues to prove to be lucrative. She said several public and private organisations have been the target of ransomware attacks and business e-mail fraud.

Breaches are impacting private and public entities, she said, forcing them to implement security strategies to identify and control cyber-risks.

"Breaches lead to, among others, operational downtime (it can be months to restore systems from backups), loss of data integrity, fines by the information regulator and implying an ongoing risk for the citizens," said Biermann.

"There are some misconceptions that security is a technical or IT issue when in reality it is a management responsibility. It is about being aware of possible cyber-threats and implementing structures to mitigate the risks.,"

Prof Rennie Naidoo from the Wits School of Business Sciences said given the global challenge and complexity of cybersecurity, exemplified by sophisticated attacks on well-established organisations in the US such as Solar Winds and Microsoft, no public or private entity can claim to be fully prepared.

He said in October 2023 a hacker claimed to have accessed and leaked the personal details of 815-million Indians, referred to as the Indian Council of Medical Research data breach.

"Despite efforts such as stringent data protection laws, the increasing frequency and severity of cyber-incidents suggest the government and private entities need to continuously invest in and improve their cybersecurity capabilities," he said. 

Naidoo said the private sector and government should improve their capabilities, considering research by the Council for Scientific and Industrial Research (CSIR) reported the country is the eighth most targeted worldwide by ransomware attacks. 

TimesLIVE