Technology

Hackers claim they have access to South African citizens’ financial data

4 November 2024

A cyber extortion gang has claimed responsibility for a spree of alleged cyberattacks affecting some of South Africa’s critical sectors, including financial institutions, credit bureaus, and government entities. 

According to MyBroadband, N4ughtySec, a hacker group that may be linked to N4ughtySecTU, gained notoriety following its 2022 breach of TransUnion.

Now, this group has seemingly resurfaced and claims to have infiltrated multiple South African banks, various government departments, and the South African Social Security Agency (SASSA). 

Although many deny that their systems have been breached, these claims have prompted widespread investigations by the institutions implicated.

N4ughtySecTU first gained attention in March 2022 when it targeted TransUnion, a South African credit bureau, demanding a $15 million (approximately R224 million at the time) ransom in cryptocurrency. 

The company refused to pay, arguing that giving in to criminal demands would only incentivise the bad behaviour and invite future attacks. 

In response, the group leaked the stolen data online before seemingly disappearing. 

However, they re-emerged in 2023 as N4ughtySecGroup, this time demanding an even larger ransom of $30 million (R530 million) from TransUnion and Experian. They threatened to expose client data if payment was not made.

According to N4ughtySec, their presence in South Africa never wavered. The group claimed they had maintained access to TransUnion and Experian’s systems since the initial 2022 breach and had been planning more extensive attacks on South African institutions.

Most recently, a spokesperson for N4ughtySec contacted MyBroadband, claiming to have breached numerous South African banks. 

The group claimed to have used compromised data from credit bureaus to infiltrate the backend systems of several banks by exploiting vulnerabilities in the systems of credit unions TransUnion, Experian, and XDS.

They specified that Absa, FNB, Nedbank, Discovery, and TymeBank were among those affected. 

Despite these claims, all of the banks have issued statements to MyBroadband suggesting no indication of a security breach on their end. 

TymeBank CEO Karl Westvig said the bank reviewed the information that was brought to their attention and cross-referenced it against its records. He said there were clear discrepancies between the data provided and the customer data they have on record.

“We can, therefore, confirm TymeBank has not been hacked and that the data has not been taken from our systems,” it said.

“Our initial investigations indicate that the data is likely to have been obtained from another party that our customers may have engaged with separately.”

Discovery Bank said it has not been impacted by a breach or seen any suspicious activity.

“We have reached out to industry colleagues, and at this time, there is no evidence or indication of a widescale security breach,” they said.

“In the normal course of business, Discovery Bank continuously reviews and monitors our security and fraud environment, as well as the transactional activities of clients for unusual behaviour.”

FNB said it is investigating the matter and can confirm that there are no indications of breaches on our banking platform.

A Nedbank spokesperson told MyBroadband that they also have not detected any breaches or suspicious activities on its systems.

“We can confirm that Nedbank has robust systems and technologies in place to detect irregularities,” the bank stated.

“We would like to reassure our clients that their information and deposits are safe and encourage them to remain vigilant and adhere to safe banking practices.”

Absa had a similar response, telling MyBroadband that the bank operates a “defense-in-depth” strategy to protect confidential customer information.

“Absa can confirm that we have not detected breaches or suspicious activity at this time. Absa works continuously with the industry, local and international law enforcement, and regulatory authorities to mitigate the potential risks or exposure to security breaches,” the bank said.

In addition to targeting banks, N4ughtySec claimed responsibility for a recent attack on the South African Social Security Agency (SASSA). 

According to the group, they exploited vulnerabilities in SASSA’s system to siphon more than R175 million by creating over 100,000 fake bank accounts. 

These accounts were allegedly opened using data obtained from breaches at TransUnion, Experian, and XDS.

The group’s approach aligned with a recent report by two Stellenbosch University students, Joel Cedras and Veer Gosai, who uncovered vulnerabilities in SASSA’s systems. 

The first thing the students found was fraud at SASSA, which they discovered when one of them realised they were registered to receive a Social Relief of Distress (SRD) grant despite not qualifying.

They further found that someone had opened a bank account in the student’s name, which the grant was paid into.

The students then found a flaw in SASSA’s API, which allowed them to identify widespread fraud surrounding the SRD grants.

N4ughtySec praised the students for exposing these flaws, which they reportedly used to facilitate their attack.

It is important to more that these systemic flaws have been exploited for months, and Cedras and Gosai only revealed the problem in October this year.

SASSA’s grant admission head, Brenton van Vrede, confirmed that the organisation’s systems had indeed been compromised. 

He highlighted additional weaknesses at three South African banks, which he said were not complying with the Financial Intelligence Centre Act (FICA) requirements for opening accounts, a lapse that made it easier for hackers to establish fraudulent bank accounts.

Unlike previous attacks where N4ughtySec demanded significant ransoms, this time, the group has made no monetary demands. 

Instead, they have requested a public apology from the institutions they breached and a formal acknowledgement of the security flaws that allowed the attacks. They allege they warned the affected companies but were ignored.

In a statement, N4ughtySec declared, “We will not stop until we receive an apology and for the institutions we have hacked to admit the security flaws and the data and systems we have accessed. We did warn them.”

The alleged breaches have triggered responses from the credit bureaus involved. TransUnion issued a statement asserting that they “found no recent evidence that our systems have been inappropriately accessed”. 

XDS said they are actively investigating N4ughtySec’s claims. Experian did not initially respond to MyBroadband’s queries but later affirmed that they had not detected any compromise in their systems. 

“Data security has always been, and always will be our highest priority,” Experian said.

Newsletter

Top JSE indices

1D
1M
6M
1Y
5Y
MAX
 
 
 
 
 
 
 
 
 
 
 
 

Comments

Privacy policy | Contact | Advertise |

Articles and other information on Daily Investor is for information purposes only and is not financial or investment advice. It should not be seen as a recommendation to buy shares in any company. Our content is produced without considering the objectives, financial situation, or needs of individuals. Before making any investment decision, prospective investors should consider the appropriateness of the information to their own objectives, financial situation and needs and seek legal and taxation advice appropriate to their jurisdiction.

Profile Data logo

Price and trade data source:

JSE Ltd All other statistics calculated by Profile Data.

All data is delayed by at least 15 minutes.