SASSA CONFIRMS THAT THERE HAS BEEN NO DATA BREACH OF ITS SYSTEM

• On 14 October 2024, reports in the public domain published an article revealing significant fraud within SASSA’s grant system, co-authored by two first-year Computer Science students from Stellenbosch University.
• The students highlighted how fraudsters exploit the identities of ordinary citizens to gain access to government support. In response, SASSA acknowledged the existence of this fraud and outlined its ongoing efforts to combat it, including advanced algorithms for fraud detection and a pilot programme using facial recognition technology.
• SASSA emphasised its commitment to balancing security with accessibility for its clients, particularly considering the high unemployment rate among South African youth.

On Monday, 14 October 2024, an article titled “We Discover Massive Fraud in SASSA’s Grant System,” with the subheading “SASSA Needs to Disclose How This Happened and the Scale of the Problem.” The article was co-authored by two first-year Computer Science students at Stellenbosch University who claimed they had been searching for vulnerabilities in both government and private-sector systems.

SASSA is aware of various attempts by individuals to exploit government efforts aimed at supporting the most vulnerable members of our communities. The fraud highlighted by the two students, involves fraudsters stealing the identities and contact details of ordinary citizens. This issue is not new and is well-known to SASSA, which recognises that it is not the only type of fraud being perpetrated.

Over time, the risk landscape has evolved, necessitating that SASSA adapt accordingly. In response, SASSA has implemented several countermeasures, including algorithms based on data and metadata designed to identify potentially fraudulent applications that require further identity verification. These measures are crucial, particularly given that 60% of South African youth are unemployed and could qualify for the grant. However, SASSA continuously strives to minimise the impact of its fraud measures on legitimate applicants.

SASSA is also in the process of rolling out enhanced security measures for all SRD-related functions as part of the launch of a new mobile app. It is essential that SASSA deploys these security measures without inconveniencing its client base, especially considering that a significant portion of its clients are not technologically literate. Therefore, it is crucial to maintain a balance between vulnerability and functionality.

In addition to its in-house risk identification model, SASSA collaborates with various risk mitigation and fraud detection institutions within the financial services sector to identify fraudulent activities and implement measures that exclude ineligible clients from receiving grants.

Furthermore, SASSA has piloted an electronic “Know Your Client” (eKYC) programme, utilising facial recognition to verify the legitimacy of clients and their applications by comparing and matching their data with the population register or National ID Database at the Department of Home Affairs. SASSA has also engaged with banks from the outset to ensure that grants are paid only to eligible recipients. In this regard, SASSA is working closely with certain banks to accelerate their biometric verification solutions for clients when opening bank accounts. The reduction in fraudulent applications is attributed to the success of the countermeasures implemented, which deter fraudsters from applying in the first place. As a result of these measures, over 2 million applications have been blocked and placed in a “referred status,” requiring applicants to verify their identity through facial recognition software.

It is our view that the students who raised their findings did so without a complete understanding of the relevant facts, including the SASSA clientele profile, the balance of system functionality and vulnerability, the risk assessments performed by SASSA, and the collaboration with various companies and authorities in prosecuting fraudulent applications.

SASSA validates whether the applicant has access to the mobile number provided during the application process. In this regard, the website sends a One-Time Password (OTP) to the mobile number supplied, which the applicant must enter on the website to proceed. The identity number is matched with the name and surname during the application process, based on information captured by the Department of Home Affairs, which SASSA obtains through the Integrated Justice System link (commonly referred to as the PIP service).

SASSA will continue to strengthen its processes and will work with universities, law enforcement agencies, and other institutions to protect the most vulnerable individuals it serves, ensuring that its system security and functionality remain in balance, alongside ethical hacking and best practices.