A data breach at the Police Medical Aid Scheme (Polmed) last month, in which personal details of police officers were stolen, constitutes a full-blown national security threat, according a cybersecurity firm investigating the hack.
Cybersec Clinique said the breach, which was revealed to Polmed by the hackers responsible, ShinyHunters, resulted in the extraction of confidential health records, financial data and, crucially, occupational designations and home addresses of police force members.
ShinyHunters emerged six years ago and has attacked major international companies including Salesforce, Ticketmaster and Soundcloud, demanding payment of a ransom in return for not leaking sensitive stolen data.
“Given that the data subjects are predominantly members of the South African Police Service (SAPS), the exposure of residential addresses and occupational designations constitutes a critical risk to national security and personnel safety,” Cybersec’s report into the Polmed hack said.
The exfiltration of South African ID numbers alongside police designations creates an immutable risk of identity theft and blackmail against law enforcement officials
— Cybersec Clinique
“The presence of [police] member data in the public domain must be treated as an active and critical threat. The exfiltration of South African ID numbers alongside police designations creates an immutable risk of identity theft and blackmail against law enforcement officials.”
The report said ShinyHunters had exploited a “systemic architectural weakness” that allowed its hackers to forge digital credentials and masquerade as legitimate administrators.
“The exfiltrated dataset provides a comprehensive mapping of the SAPS command structure. This information facilitates highly targeted spear-phishing and social engineering attacks aimed at gaining unauthorised access to broader police infrastructure and internal case management systems.”
Polmed principal officer Neo Khauoe confirmed this week that the scheme had received an e-mail from the hackers. Polmed had launched an investigation and informed its members, the Information Regulator, Saps and the Council for Medical Schemes (CMS).
“Because this is an active matter involving law enforcement stakeholders and multiple regulators, there are limits to the operational detail we can place in the public domain at this time. Polmed will continue to update the Information Regulator, Saps, CMS and members as the investigation progresses,” she said.
Khauoe said it was not yet clear whether the hackers had gained access to the data via Polmed itself or through its administrator, Medscheme.
“Polmed’s relationship with Medscheme is governed by formal administration and managed health care agreements, which impose binding obligations on Medscheme to implement appropriate technical and organisational measures to protect Polmed’s data,” she said.
Cybersec warned that the breach had likely compromised the very tools used to secure criminal convictions. The combination of ID numbers, residential data and specific police roles creates a “high-risk environment for targeted social engineering and physical intimidation”.
Exposure of job titles and home addresses would be particularly dangerous for undercover police operatives and high-ranking officers, among others.
The Information Regulator this week said it was seeking to ascertain if Polmed had implemented “reasonable technical and organisational measures”. The CMS, the regulator for medical aids, said it would launch its own investigation.
A breach of this nature suggests weaknesses not only at the perimeter level, but also in core areas such as access control, data encryption, network segmentation, and monitoring. In mature security architectures, sensitive systems are isolated, access is tightly governed through least-privilege principles, and data at rest and in transit is encrypted.
— Bongani Majola, ScaryByte analyst
Experts warned that police databases may still be at risk and urged the government to treat cybersecurity as a sovereign priority.
Bongani Majola, an analyst at ScaryByte, a cybersecurity company, said: “The reported exposure of databases linked to the police’s docket and forensic systems through the Polmed breach represents a serious breakdown in information security controls within a highly sensitive law enforcement environment.
“A breach of this nature suggests weaknesses not only at the perimeter level, but also in core areas such as access control, data encryption, network segmentation, and monitoring. In mature security architectures, sensitive systems are isolated, access is tightly governed through least-privilege principles, and data at rest and in transit is encrypted.”
Jabu Mtsweni, chief cybersecurity researcher at the Council for Scientific & Industrial Research, said hackers typically take about eight months or more to tell their victims of an attack. “Whoever would have access to the data would need time to first clean it, verify it, and if that data includes usernames and passwords, they will try and crack the systems before releasing the data publicly,” he said.
Despite large investments in public sector cybersecurity, Mtsweni said, too many organisations focused on merely complying with regulations around data protection rather than taking effective steps to prevent hacks.
Anathi Mtila of Armata Cyber Security said that apart from the technical aspects of data security, “the bigger issue is trust — organisations handling this level of personal information are expected to protect it, and once that trust is impacted, it takes a long time to rebuild it”.
Police spokesperson Brig Athlenda Mathe said SAPS’s cyberdivision is investigating. CyberSec referred all queries to Polmed, saying they were bound by confidentiality.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.