{"id":15872,"date":"2022-03-30T23:22:47","date_gmt":"2022-03-30T21:22:47","guid":{"rendered":"https:\/\/amabhungane.org\/?post_type=stories&#038;p=15872"},"modified":"2024-09-13T17:50:07","modified_gmt":"2024-09-13T17:50:07","slug":"220331-r90m-hack-at-postbank-kept-under-wraps","status":"publish","type":"post","link":"https:\/\/further.co.za\/amabwp\/220331-r90m-hack-at-postbank-kept-under-wraps\/","title":{"rendered":"R90m hack at Postbank kept under wraps"},"content":{"rendered":"<p>Between 16 and 28 October last year individuals presumed to be either employed by Postbank or by a Postbank contractor stole at least R89\u00a0459\u00a0330 in physical cash through SASSA accounts. The brazen fraud involved illicitly crediting grant beneficiary accounts with large sums and then emptying these accounts out at ATMs.<\/p>\n<p>It is the second major security breach since the South African Post Office (SAPO) and its subsidiary Postbank took control of the bulk of the social grant system in 2018. In that year the Postbank \u201cmaster key\u201d, a digital encryption code safeguarding customer ATM pin codes and other encrypted means of accessing accounts, was <a href=\"https:\/\/www.timeslive.co.za\/sunday-times\/news\/2020-06-14-postbank-forced-to-replace-12-million-bank-cards-after-employees-steal-master-key\/\">stolen<\/a>. Roughly R56-million was leached from Postbank accounts over the course of nearly two years leading to an instruction from the South African Reserve Bank that Postbank reissue a reported 12-million cards at enormous expense.<\/p>\n<p>This time around the damage was far larger and far faster.<\/p>\n<p>Approached for comment Postbank confirmed the theft but stressed that the money was not stolen from customers but rather from Postbank itself.<\/p>\n<p>\u201cPostbank wishes not to provide too much information about the modus operandi of the cybercrime fraud incident in order to protect the sensitive processes of the investigation that is currently underway,\u201d Postbank acting chief executive Kevin Maartens said in response to questions.<\/p>\n<p>The scheme was only accidentally discovered and quashed when a call-centre operator noticed a SASSA grant beneficiary account with a balance of just under R100\u00a0000\u00a0\u2014\u00a0highly anomalous for a grant recipient.<\/p>\n<p>While the scam involved the use of cloned SASSA bank cards to withdraw funds, the cooperation of real grant recipients was seemingly necessary.<\/p>\n<p>A report commissioned from Ankura Consulting Group to analyse the security breach noted that the perpetrators would have needed \u201ca large-scale co-ordinated effort on the \u2018outside\u2019 to recruit beneficiaries willing to participate in allowing fraudulent activity to take place through their accounts\u201d.<\/p>\n<p>The Ankura report, dated 9 December, concluded that \u201cthe attack demonstrates high levels of sophistication on the part of the malicious actor, and a high degree of knowledge of the Postbank network, database structure and working practices\u201d.<\/p>\n<p>An external hack is possible in principle, but considered unlikely:<\/p>\n<p>\u201cWhilst it cannot be conclusively determined, due to the absence and deletion of log files that the incident was caused by an \u2018Insider Threat&#8217;\u2019 &#8211; an employee, unauthorised attacker with access to Postbank&#8217;s network and\/or third-party supplier with the necessary knowledge of, and access to the Postbank Oracle databases and wider infrastructure\u00a0\u2014\u00a0this does perhaps seem a more plausible explanation based on the data reviewed by Ankura.\u201d<\/p>\n<p><em>We&#8217;re a non-profit newsroom that exposes wrongdoing, empowering people to hold power to account. But we cannot do it without <\/em><em><u><a href=\"https:\/\/amabhungane.org\/support\/\">your support<\/a><\/u><\/em><em>.<\/em><\/p>\n<p>On 28 October, the day the scam was discovered, the guilty parties allegedly set about covering their digital tracks by creating \u201cmalicious unauthorised\u201d user accounts with privileged access to Postbank\u2019s systems. These were used to erase audit trails until discovered and disabled by Postbank on 4 November, according to Ankura.<\/p>\n<p>Postbank is the main custodian of the social grant system, paying out more than R10-billion to roughly 8-million grant beneficiaries every month. A recipient of the old-age grant would, for example, normally receive the roughly R1\u00a0900 and withdraw the full amount. Finding tens of thousands of rands in a beneficiary account is a major red flag.<\/p>\n<p>A \u201crisk management report\u201d produced by Maartens in December shows that a total of 279 accounts were used to fraudulently withdraw the funds.<\/p>\n<p>\u201cThis Modus Operandi (MO) included only ATM transactions as the perpetrators tried to\u00a0withdraw the funds as quick as possible. The loss could not be determined with 100% accuracy and final numbers are not fully verified yet. The number is not expected to change materially and the loss amounts to R 89,459,330,\u201d reads the report.<\/p>\n<p>\u201cIt is clear from the above that the exploitation of a substandard IT environment by attackers lead to a major loss,\u201d Maartens concluded.<\/p>\n<p>According to him \u201cfurther processes of implementing additional security enhancing measures to make our environment more robust\u201d are ongoing.<\/p>\n<p><strong>Who\u2019s to know?<\/strong><\/p>\n<p>Earlier this month, the South African Post Office (SAPO) controversially presented its new turnaround strategy titled \u201cThe Post Office of Tomorrow\u201d to the parliamentary portfolio committee on communications behind closed doors.<\/p>\n<p>It is not clear whether the incident at Postbank, which is a subsidiary of SAPO but is currently being unbundled, was discussed at the meeting. In his report Maartens claims that all relevant authorities, including the SARB, were informed about the breach.<\/p>\n<p>\u201cThe incident was reported the SARB as required by the Banks Act. A formal PRECCA report\u00a0was also filed as required for losses above R100k\u2026acknowledgement of the report was received from SARB,\u201d he said in his internal report.<\/p>\n<p>Approached for comment SARB however contradicted Maartens\u2019 version.<\/p>\n<p>\u201cThe South African Reserve Bank is not aware of any breach or compromise of the systems at the Post Office\u2026Furthermore, the Prudential Authority (PA) does not supervise the Postbank SOC Limited as it is not a registered bank, in terms of the Banks Act. \u201c<\/p>\n<p>Postbank seemingly also kept the Department of Social Development, under which SASSA operates, in the dark.<\/p>\n<p>\u201cThe Department received no formal communication on the incident, and no grant beneficiaries were affected,\u201d the department\u2019s spokesperson Lumka Oliphant told amaBhungane via text message.<\/p>\n<p>Postbank however doubled down on its version.<\/p>\n<p>\u201cOn the question regarding the reporting protocols that were deployed by Postbank, Postbank maintains that the cybercrime incident was reported to the relevant law enforcement agencies (SAPS) as well as the SARB and Postbank\u2019s cybercrime insurance provider within the prescribed timeframe.\u201d<\/p>\n<p><strong>No cover<\/strong><\/p>\n<p>The incident at Postbank has highlighted the vulnerability of state-owned entities to cybercrimes.<\/p>\n<p>It has revealed that at least some are allegedly unable to procure insurance against losses from cyberattacks in the first place.<\/p>\n<p>According to Maartens\u2019 report, Postbank was able to claim R75-million from its insurer and another R5-million from its Cell Captive to counter the losses. This left a dead loss of R9,5-million plus expenses of over R2-million.<\/p>\n<p>The more serious problem is that Postbank\u2019s insurance against cybercrimes of any sort is now exhausted until 31 July 2023 \u2013 and it cannot get any additional insurance.<\/p>\n<p>\u201cThe lack of cover is obviously a major concern for both SAPO and Postbank,\u201d reads Maartens\u2019 report.<\/p>\n<p>In the process of looking for extra cover Postbank allegedly discovered that its peers, other state-owned entities, had the same problem.<\/p>\n<p>\u201cWe requested the insurance broker to go out to the market to try and source additional cover for Postbank. The broker approached all the local underwriters for proposals or options. The response was very clear but very concerning. The majority of the insurers responded that they do not insure any SOE&#8217;s for Cybercrime as the risk posture and control\u00a0environments are falling outside of their risk appetite.\u201d<\/p>\n<p>International insurers AIG and Marsh turned down Postbank\u2019s business and this avenue \u201cseems like a dead end\u201d, said Maartens.<\/p>\n<p>After failing to find insurance on its own, Postbank claims it turned to its peers among state-owned entities, asking who they insure with.<\/p>\n<p>According to Maartens, Postbank approached the South African Revenue Service, the Industrial Development Corporation and the State Information Technology Agency.<\/p>\n<p>\u201cThe response was clear, these SOE&#8217;s could not obtain cover from local insurers and they do not have any Cybercrime cover.\u201d<\/p>\n<p>If true, this would be particularly concerning considering the ransomware attack on Transnet in July last year that shut down parts of the country\u2019s port infrastructure for a week.<\/p>\n<p>The IDC however denies being unable to secure adequate cyber-attack insurance, saying that \u201cclaims about the IDC not being insured against losses from cyber-attacks is wholly inaccurate\u201d.<\/p>\n<p>In response to questions the state-owned financier responded:<\/p>\n<p>\u201cLike all finance institutions, the IDC is acutely aware of cyber security risks, has the appropriate cover and its embedded IT governance practices proactively deal with live threats of cyber-attacks. Due to risks associated with cybersecurity and material concerns we all have about it, the Corporation will not engage in hearsay nor respond to unfounded statements by unrelated third parties.\u201d<\/p>\n<p>SARS and SITA did not respond to questions.<\/p>\n<p>In response to questions, Postbank seemed to backtrack somewhat:<\/p>\n<p>\u201cPostbank wishes to stress that the context of the information on cybercrime insurance within state-owned entities is the emphasis that Postbank has a different risk profile, and cybercrime insurance requirements, which are not necessarily comparable to the cyber insurance products that other state-owned entities currently utilize.\u201d<\/p>\n<p>\u201cRegarding procuring additional cybercrime insurance and cybercrime insurance matters, Postbank is considering various options that do not exclude cell captive and\/or self-assurance options following indications of a low market appetite of insurance for entities with our comparable risk profile and cybercrime insurance requirements.<\/p>\n<p>\u201cThe market exploration for an additional cybercrime insurer is also continuing, and the bank is adequately insured for other risks other than cybercrime,\u201d it said.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unknown individuals, most likely working from inside the aspiring state-owned Postbank, stole millions through the social grant system late last year. The breach, which has been kept a secret, is the second time the SASSA payment system has been compromised since Postbank took charge of the social grant payment system in 2018.<\/p>\n","protected":false},"author":8,"featured_media":20845,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2],"tags":[919,433,920,921,922,923,273,924],"class_list":["post-15872","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-stories","tag-ankura-consulting-group","tag-department-of-social-development","tag-lumka-oliphant","tag-post-office","tag-postbank","tag-sapo","tag-sarb","tag-sassa"],"acf":[],"_links":{"self":[{"href":"https:\/\/further.co.za\/amabwp\/wp-json\/wp\/v2\/posts\/15872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/further.co.za\/amabwp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/further.co.za\/amabwp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/further.co.za\/amabwp\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/further.co.za\/amabwp\/wp-json\/wp\/v2\/comments?post=15872"}],"version-history":[{"count":1,"href":"https:\/\/further.co.za\/amabwp\/wp-json\/wp\/v2\/posts\/15872\/revisions"}],"predecessor-version":[{"id":29912,"href":"https:\/\/further.co.za\/amabwp\/wp-json\/wp\/v2\/posts\/15872\/revisions\/29912"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/further.co.za\/amabwp\/wp-json\/wp\/v2\/media\/20845"}],"wp:attachment":[{"href":"https:\/\/further.co.za\/amabwp\/wp-json\/wp\/v2\/media?parent=15872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/further.co.za\/amabwp\/wp-json\/wp\/v2\/categories?post=15872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/further.co.za\/amabwp\/wp-json\/wp\/v2\/tags?post=15872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}