Skip to main content

Johannesburg, South Africa – A sophisticated cyber heist has been uncovered within South Africa’s Department of Public Works and Infrastructure (DPWI), resulting in the theft of at least R300 million (US$16.5 million) over the past decade. Newly-appointed DPWI Minister Dean Macpherson disclosed the shocking details in an X (Twitter) post, highlighting systemic vulnerabilities within the department.

This post details:

  • how the cyber heist was discovered;
  • what the fallout was;
  • the method employed by the alleged cybercriminals;
  • the government’s response;
  • the public’s reaction;
  • key legal questions; and
  • our insights into the investigation.

The discovery

Unauthorised payments

The cybercrime was uncovered following an internal audit, revealing a pattern of unauthorised payments through manipulated invoices and other digital means. The department identified the cyber-security vulnerabilities with the assistance of its banking partners, including ABSA and the South African Reserve Bank.

Forensic probe

In May 2024, following a further cyber heist of R24 million, the then-Minister Sihle Zikalala (now Deputy Minister) ordered a full forensic probe into so-called vulnerabilities in the department’s ICT systems.

The probe involved:

  • the Hawks (The Directorate for Priority Crime Investigation (DPCI));
  • South African Police Services;
  • State Security Agency (SSA); and
  • experts in the ICT and cyber security industry.

Scope of the investigation

The investigation covers the following:

  • causes of the breach and vulnerabilities;
  • vulnerability and susceptibility to cyber-crime of the ICT infrastructure within the department;
  • lack of staff capacity; and
  • weak ICT systems.

Cybersecurity failure

The cyber heist lasted ten years, suggesting a long-standing breach in the department’s cybersecurity measures.

“It has become clear that the department has been a soft target and playground for cyber criminals for over ten years, and this should have been picked up a lot earlier. I felt it important to let South Africa know what has happened and what we are doing about it. I cannot discount the possibility of collision between officials and criminals during this prolonged theft period. It is clear that we need better financial controls, which I have said to the department are a matter of urgency.” said the Minister in a media statement on 10 July 2024.

The fallout

Employee suspension and laptop seizure

In response to the findings, 30 laptops have been seized for further investigation, and four officials have been suspended (probably via a precautionary suspension process). The four DPWI officials suspended include three senior managers and one middle manager.

The DPWI suspects the implicated individuals of facilitating or complicity in the fraudulent activities. Minister Macpherson highlighted that the investigation is ongoing and that more suspensions and legal action may follow as it proceeds.

Impact on creditors

The investigation forced the department to shut down all its payment systems, causing significant delays in creditor payments.

The cyber heist method

The alleged cybercriminals reportedly used advanced techniques to infiltrate the department’s financial systems. By manipulating payment processes and creating fake invoices, they were able to divert funds into accounts under their control. The complexity and duration of the theft suggest a high level of sophistication and possibly inside knowledge and co-operation.

Government response

Reassurance

From the DPWI Minister

Minister Macpherson has committed to overhauling the department’s cybersecurity protocols to prevent future breaches. “This incident highlights the urgent need for robust cybersecurity measures within all government departments”, Macpherson stated. He assured the public that steps are being taken to recover the stolen funds and to hold those responsible accountable.

From OUTA

Organisation Undoing Tax Abuse (OUTA) CEO Wayne Duvenage congratulated Macpherson for being transparent.

From the Presidency

Minister in the Presidency Khumbudzo Ntshavheni said the SSA has been inundated with media enquiries following the statement from the DPWI. “The investigation is ongoing, and investigating teams were urged to work with speed to conclude their work without compromising the required thoroughness of the investigation,” Ntshavheni said.  She added that the SSA continues to provide support and advice to government departments on cybersecurity: “The SSA is finalising a consolidated assessment on government’s cybersecurity strengths and initiatives underway to address any weaknesses found in the system”.  Once the report has been completed, the Minister said it would be submitted to the National Security Council for further processing and direction.

List of DPWI Ministers over the past decade

  • Thulas Nxesi was Minister from October 2011 and continued until May 2014.
  • Nathi Nhleko served as Minister from May 2014 to February 2018.
  • Thulas Nxesi was the Minister from February 2018 to May 2019.
  • Patricia de Lille took over from May 2019 until March 2023.
  • Sihle Zikalala succeeded Patricia de Lille, serving from March 2023 to June 2024.
  • Dean Macpherson is the current Minister, appointed in June 2024.

It is still being determined whether Ministers were aware of the ongoing heist over the past decade or whether they had to prioritise other areas of national importance.

The country’s approach to cracking down on cybercrime

According to Interpol’s 2023 African cyber threat assessment report, South Africa has the highest cybersecurity incidents in Africa.

At the end of 2023, the Special Investigating Unit (SIU) entered into a memorandum of understanding with the International Criminal Police Organisation, better known as Interpol, in South Africa, aligned to its stance on cybercrime. The memorandum provides the SIU with direct access to data systems in 195 countries.

Further, in June 2023, South Africa’s Justice Ministry announced that “South Africa and France have entered into a cooperation protocol agreement to improve the Special Investigating Unit’s cyber forensic capabilities” to tighten the SIU’s cyber forensic investigations.

“We are going to benefit a lot through this process of training that will enable our forensic cyber capabilities and investigations to be on par with the standards of the world and the globe because these types of crime are no longer just national, they are transnational in nature”, the then-Minister of Justice and Correctional Services, Ronald Lamola said.

Public reaction

The revelation has sparked outrage among citizens and raised concerns about the security of public funds (from South African taxpayers). Calls for increased transparency and stricter oversight within government departments have intensified. Analysts warn that the incident could erode public trust in the government’s ability to safeguard taxpayer money.

Legal and regulatory implications

This incident invokes several legal and regulatory obligations:

  • POPIA: obligates organisations to secure personal information against loss, damage, or unauthorised access.
    • Has the Information Regulator been notified of the security compromise?
    • Have data subjects been notified?
    • Who had access to the financial systems and data?
    • How was the breach detected?
    • How were manipulated invoices introduced?
    • What actions were taken post-detection?
    • Measures to prevent future incidents?
  • Cybercrimes Act: provides legal mechanisms to address and prosecute cybercrimes.
    • What types of cybercrime are involved?
      • Unlawful access?
      • Cyber fraud?
      • Cyber forgery?
    • What are the likely consequences for those implicated?
  • Public Finance Management Act: requires government departments to ensure efficient, effective, transparent financial management and internal controls.
    • How did the breach and subsequent financial misconduct violate the PFMA?
    • Were proper internal controls and financial management systems in place as required by the PFMA?
    • What steps were taken to ensure accountability and transparency as mandated by the PFMA?
    • How was the oversight and monitoring by the responsible authorities under the PFMA framework carried out?
    • What corrective measures and sanctions have been implemented per PFMA guidelines?

The cyber heist has also raised questions about whether South Africa should push for the implementation of its Critical Infrastructure Protection Act 8 of 2019 and Cybersecurity Bill.

Notably, within the public sector context, the Department of Public Service and Administration has gazetted various directives to guide government departments on information security, such as the directives on public service information security and cloud computing in the public service.

Our insights into the cyber heist

Given our experience dealing with incidents like the R300 million cyber heist at DPWI, we offer the following insights.

Potential causes

  1. Insider threats: The prolonged nature of the theft suggests potential insider involvement. Employees with access to critical systems and knowledge of the department’s processes could have facilitated or disregarded the fraudulent activities.
  2. Weak cybersecurity infrastructure: The department’s ICT systems likely had significant vulnerabilities, including outdated software, weak authentication protocols, and insufficient encryption practices. These weaknesses would have made it easier for cybercriminals to infiltrate and manipulate financial systems.
  3. Lack of monitoring and audits: Inadequate real-time monitoring and irregular security audits would have allowed unauthorised activities to go unnoticed for an extended period. This absence of oversight is a critical factor in the longevity of the heist.
  4. Insufficient training and awareness: Employees may need to be adequately trained to recognise and respond to potential cyber threats, making the department more susceptible to social engineering attacks and other common cyber tactics.

Likely investigation process

  1. Forensic analysis: A thorough forensic analysis of the department’s ICT systems will be conducted to trace the origins and methods of the cyber heist. This includes examining server logs, transaction records, and seized devices.
  2. Interviews and interrogations: Officials and staff members, especially those suspended, will be interviewed to identify collusion or negligence. This process will help uncover the human factors contributing to the breach.
  3. Collaboration with cybersecurity experts: The department will likely collaborate with cybersecurity experts from the private sector and international agencies like Interpol to leverage advanced tools and techniques for the investigation.
  4. Financial audits: Comprehensive financial audits will be essential to tracking the flow of stolen funds and identifying any patterns that could indicate additional vulnerabilities or the involvement of other individuals.

Immediate actions for DPWI

  1. Strengthen financial controls: Implement stricter financial controls, including multi-factor authentication for transactions and segregation of duties to reduce the risk of unauthorised payments.
  2. Upgrade ICT infrastructure: Immediately upgrade all ICT systems to address known vulnerabilities. This includes applying security patches, upgrading outdated software, and enhancing encryption protocols.
  3. Employee training programmes: Initiate mandatory cybersecurity training programmes for all employees to improve awareness and responsiveness to potential threats.
  4. Real-time monitoring: Deploy real-time monitoring tools to detect and respond to suspicious activities promptly. This includes intrusion detection systems (IDS) and security information and event management (SIEM) solutions.

Recommendations for the future

  1. Regular security audits: Establish a routine schedule for comprehensive security audits conducted by independent cybersecurity firms. These audits should assess the department’s security posture on both technical and procedural levels.
  2. Enhanced incident response plan: Develop and regularly update an incident response plan that outlines clear procedures for detecting, reporting, and mitigating cyber incidents. Ensure that all employees are familiar with this plan.
  3. Continuous vulnerability assessment: Implement continuous vulnerability assessment and penetration testing (VAPT) to identify and address security gaps proactively.
  4. Collaboration and information sharing: Foster collaboration with other government departments, private sector experts, and international agencies to share threat intelligence and best practices for cybersecurity.
  5. Invest in advanced security technologies: Allocate budget for advanced security technologies such as artificial intelligence-driven threat detection, blockchain for secure transactions, and biometric authentication methods.
  6. Strengthen legal framework: Advocate for more robust cybersecurity laws and regulations to hold individuals and organisations accountable for cybercrimes. This includes stricter penalties for those found complicit in such activities.

We’re here to help

Reach out to us for any questions or comments on the incident. We’re also available for legal, technical and policy guidance on how to improve your organisation’s information security programme.