Cape Town - The Department of Social Development (DSD) has requested more time to conduct a comprehensive investigation into breaches in integrity of the digital social grant system.
The department was given a month in which to conduct a comprehensive independent investigation into the Covid-19 Social Relief of Distress (SRD) Grant and all other grant systems administered by SASSA, following revelations made by two Stellenbosch University students of rampant fraud and identity theft within the SRD system.
SU Computer Science students Veer Gosai and Joel Cedras, found that their ID numbers were used to apply for the SRD grant, which led to a broader investigation into the fraudulent use of student IDs to access the grants meant for the most destitute in the country.
During a briefing to the Portfolio
Committee on Social Development, DSD Minister Sisisi Tolashe said: “We have recognised the weaknesses between ourselves and Sassa in so far as oversight is concerned.”
A preliminary report was tabled to the committee on Wednesday, with a request for an extension.
During a media briefing, Tolashe said: “For now, the investigation is not yet conclusive for us to be able to say how many IDs were stolen or how much money we lost.”
The Covid-19 SRD covers an average of eight million adults each month.
Deputy Minister Ganief Hendricks said there has been a suggestion to improve biometrics.
“We have to look at that but as you know, the recipients of the grants, they don't have smartphones like many of us so there are challenges. We can't make it too strict for people to put food on the table… they can't wait for such processes.”
The assessment into the SRD web application revealed vulnerabilities that could compromise the security and functionality of the system, the committee heard.
These issues include weaknesses in protecting user information, securing system components, and ensuring compliance with modern security standards.
Key concerns related to Login Security; Server Configuration Risks; Weak Content Security Policies (CSP); Exposed System Directories: Missing Security Headers; Weak Encryption Standards; Unprotected Backups; Unencrypted Communications.
The issues identified posed a significant risk, including the unauthorised access to sensitive information, system disruption, and potential non-compliance with data protection laws.
The recommendations made were implementing stronger passwords protection, improving server configurations, encrypting all communications, and securing sensitive files.
Cape Argus