The South African Social Security Agency (SASSA) Acting Chief Executive Officer, Mr. Themba Matlou has welcomed the outcomes of the investigation into the vulnerability into the online application of the Covid-19 Social Relief of Distress (SRD). The investigation has revealed that there are some areas of weaknesses that could compromise the system’s integrity if not addressed but SASSA acting CEO assured parliament the Agency’s will continuously improve systems control to ensure systems are secure.
While welcoming the report, Matlou told the Portfolio Committee on Social Development on Wednesday, 26 February 2025 in Parliament that an implementation plan to implement the recommendations will immediately be actioned.
Matlou committed SASSA to increase the number of annual vulnerability assessment and penetration testing to four from the two tests that are conducted currently. The Acting CEO said that currently five clients can apply on one cellphone number and SASSA is in discussion with the Department of Social Development to change this to one client per cellphone number.
Furthermore, he said SASSA is implementing rigorous account verification processes and real-time monitoring systems to detect anomalies and unauthorized transactions. Regular audits to proactively identify and address potential fraud are also conducted by the Agency.
SASSA is broadening the use of biometric verification to include more transactions or introduce randomized checks. This will enhance fraud prevention by making it more difficult for malicious actors to exploit the system.
He assured the Committee that already, SASSA has started implementing some of the recommendations on short term basis by reconfiguring the webserver config file to mitigate the risk identified and to prevent webpage from external manipulation. He added that the system’s firewall version has been upgraded to a new version to mitigate unauthorized access, data breaches, remote code execution and service disruptions presented by older versions. In addition to this, he said regular scheduled patch management processes will be strengthened.
On a medium to long term plan SASSA is implementing the following:
- Biometric verification for all online transactions
- Cyber security threat intelligence ( External websites)
- Introduce Web Application Firewall
- Improve Software Development Life Cycle to ensure it is of high quality and secured
- Extend the scope of Security Operations Centre
- Continuous collaboration with Internal Audit to ensure enough controls
- Domain Monitoring and take down services
Matlou told the Committee that due to internal controls, SASSA has been able to identify possible identity theft, and these have been reported to the law enforcement agencies. In the 2023/2024 financial year, 1145 cases were reported while in the 2024/2025 financial year, 650 cases were reported.
The Minister of Social Development, Ms. Sisisi Tolashe instituted an investigation into vulnerabilities of the application and systems used by SASSA for the payment of the Covid-19 SRD Grant. This was a recommendation made by the Portfolio Committee on Social Development to conduct an investigation on these vulnerabilities after claims of fraud in the application system of the Covid-19 SRD Grant were made by two Stellenbosch University students.
