South Africans being robbed blind — twice

The IT system running a R35-billion social welfare programme is riddled with security vulnerabilities and suffers from massive fraud. Yet, government’s response to the discovery of the problem has been completely unhurried.

Furthermore, finance minister Enoch Godongwana proposed hiking value-added tax (VAT) from 15% to 17% to help finance South Africa’s “social wage” — pumping more money into a deeply flawed system.

Two Stellenbosch computer science students, Joel Cedras and Veer Gosai, uncovered deep-seated problems at the South African Social Security Agency (Sassa) in October last year. They were first-years at the time.

Cedras and Gosai’s investigation began when they discovered that their and their friends’ identities had been stolen to obtain Social Relief of Distress (SRD) grants in their names.

The SRD grant is a lockdown-era welfare mechanism administered by Sassa that initially paid R350 per month to citizens and refugees who have no other source of financial support. The amount has since been increased to R370, with calls to double it.

After digging into the identity theft, the two students found a bank account registered in Cedras’ name that had been receiving a grant every month.

Cedras and Gosai conducted an informal survey of some of their classmates to determine whether this was an isolated issue. They found that several of them had grants fraudulently registered in their names.

They then tried to alert Sassa about the problem, but found it impossible to get hold of anyone at the agency.

The pair then set about trying to determine the extent of the problem. Fortunately for the South African public, they found that the Sassa API for SRD grants had no rate limit, allowing them to scrape 700 records per minute.

This allowed Cedras and Gosai to perform some basic analysis. They queried the grant status of everyone born in February 2005 and found around 75,000 applications in the system.

They compared this figure to the number of reported births that month — 82,100 — which works out to an application rate of about 91%.

This is much higher than South Africa’s already extremely high youth unemployment rate of 60.2%, as reported by Stats SA.

SRD grant fraud investigation

Shortly after Cedras and Gosai reported their findings, hacking group N4aughtySec said they stole $10 million (R175 million at the time) from South African taxpayers by defrauding the SRD grant system.

N4aughtySec further alleged that it had gained privileged access to South Africa’s entire financial system through weaknesses in the credit bureaus.

Cedras and Gosai kept digging and established that part of the problem was weak RICA controls at mobile virtual network operator (MVNO) Me&you Mobile, and potential FICA weaknesses at some banks and financial service providers.

Fraudsters easily obtained South African cellphone numbers through Me&you Mobile’s online eSIM ordering system.

They then went to financial providers like TymeBank or Shoprite’s Money Market account, which made it relatively easy to open a basic transactional account online.

These security vulnerabilities have since been closed, or the systems have been temporarily disabled. In the case of TymeBank and Shoprite, they made it so grants can only be paid into biometrically verified accounts.

Cedras and Gosai were invited to present their findings before the Parliamentary Portfolio Committee of Social Development in October 2024.

This led to the Department of Social Development appointing auditing firm Masegare & Associates and cybersecurity specialist Stanly Machote to conduct a formal investigation at a cost of around R280,000.

Predictably, the investigation basically just confirmed everything Cedras and Gosai had found.

During their report back to Parliament, Sassa gave no indication of how many fraudulent grants were currently in the system or how much money was stolen.

Acting Sassa CEO Themba Matlou provided vague assurances to MPs that their systems were secure and that further steps were being taken to address the vulnerabilities identified.

“The system is secure. We’ve reconfigured the server after receiving the report, but obviously, there’s still work to be done,” he said.

Taxpayers robbed blind

The lack of urgency around tackling SRD grant fraud demonstrates government’s callous disregard for the impoverished masses supposed to benefit from these welfare programmes and the taxpayers that fund them.

Finance minister Enoch Godongwana’s untabled budget for 2025/26 revealed that government intended to allocate R35.2 billion to continue the SRD grant until 31 March 2026.

It also showed that there were 19 million SRD grant recipients, with that number expected to grow to 19.3 million by the 2027/28 financial year. That is over 30% of South Africa’s population on a below-the-breadline monthly stipend.

It is clear that although the SRD grant’s stated purpose was to provide money for people in distress during the Covid-19 lockdown from 2020 to 2022, it has since become a de facto basic income grant.

To help fund this grant and close the remainder of a R60-billion gap in the budget, Godongwana wanted to hike VAT by two percentage points.

This proposal caused an uproar in President Cyril Ramaphosa’s Government of National Unity.

Following an emergency sitting of cabinet on 19 February 2025, Godongwana’s budget speech was postponed 20 minutes after he was supposed to deliver it. It is now scheduled for 12 March.

The latest reports suggest that Ramaphosa has proposed a VAT hike to between 15.75% and 16% as a compromise, but several cabinet ministers also resisted this.

Whether the coming year’s budget is financed by a VAT increase or not, it is unlikely that there will be any cuts to government’s grant programmes.

Therefore, South African taxpayer money is being wilfully dumped into a system that criminals from all over the world have been able to plunder from.

Even if N4aughtySec’s claims that it stole $10 million from the SRD grant system were exaggerated, Cedras and Gosai’s investigation proved that the programme was being defrauded en masse.

This was the first robbery, committed by criminals who exploited security flaws to steal taxpayer money meant to help the poorest of the poor.

Now government says it wants to hike taxes to fund this broken system and allow criminals to rob the South African taxpayer a second time.