Sensitive data belonging to Eastern Cape department of human settlements is believed to be in the hands of an international hacking group which gained access to IT systems.
The data is said to have been compromised by global hacking ransomware group NightSpire.
The cyber-security breach led to a total shutdown of the department’s system, causing operations to grind to a halt.
A senior department official, who did not want to be named, confirmed that all the department’s systems had been compromised and were “in foreign hands”.
It is believed that the details of all applicants and recipients of government housing may have also been compromised.
“This led us to switch off all the systems and devices belonging to the department. All of it crashed. Emails and everything. The extent is far reaching.
“All the people’s personal information, supplier and payment information is compromised. Staff were notified and told not to report to work.”
Several staff members said they had been sent home and told not to turn on their work laptops until further notice.
The source said the department was at risk of further security breaches since its IT systems were outsourced and vulnerable to hackers.
Officially however, the department downplayed the issue, saying it was “a minor ICT security breach, which has since been resolved”.
Human settlements provincial spokesperson Yanga Funani said due to its advanced detection systems, the department was able to respond “swiftly and effectively”.
He claimed no data had been compromised and that all systems remained secure due to their “robust” backup infrastructure.
“As a precaution, we temporarily took certain systems offline to prevent any potential risks.
“Employees have been asked to work remotely and will return to the office on Monday.”
Funani said they were fully online and operating as normal.
The National Education, Health and Allied Workers Union’s Thando Manyonga said the department had informed Nehawu of the breach.
“We were told it had only affected their servers.”
East London IT expert Callon Low said the attack closely matched the behaviour of advanced malware families like Cobalt Strike and ZxShell”.
He said concerns around this type of attack included that paying any ransom demands did not ensure that the data would be deleted on their end after the payment was made.
Low said the use of external providers was in line with industry standards as long as proper vetting and acceptable guardrails were in place.
“Any leak of personal, identifiable data is not a small thing as it enhances the ability of bad actors to gain access to other systems,” he said.
Jason Jordaan, an East London-based cybersecurity expert specialising in digital forensics and incident response, said NightSpire was a “known ransomware criminal group”.
Several cyber companies have issued notices to their clients about the potential data threat the hack at the department posed.
They said 20Gb of sensitive data had been stolen.
Security specialists Broadcom reported in June that NightSpire had claimed responsibility for attacks on 64 entities across 33 countries between March and June, with a globally dispersed victim base and “exhibits a broad set of techniques consistent with modern ransomware operations”.
They said the group would send the organisation a note informing it that its sensitive data had been stolen and encrypted.
“It demands payment within three days, warning that failure to comply will result in public disclosure of the breach and the release of the stolen data.”
However, no indication of a ransom demand has been reported by the department.
The US is said to be the country hardest hit by the group, followed by clusters of activity in Turkiye, Hong Kong, Japan, Taiwan, Mexico, Spain and Egypt — all with multiple victims.
Cape Town-based cybersecurity expert Craig Pedersen said the hack would have heavy consequences.
He said the only way the ransomware could get into a system was through a weak point in the ICT infrastructure like an outdated computer.
“That tells me their security is not of a suitable grade for a government department … it’s incompetent.
“If they’re extracting data, every single person in that database is now compromised and that data could be used to create fake loan applications in their names, to steal their identities and run up credit,” he said.
He said the department was legally obliged to give disclosure of what data was taken.
“They must report to the registrar that this has happened and communicate to all the people affected by it.
“They should be back up and running very quickly as long as they have proper backups,” he said.
In a statement, the DA said the incident placed thousands of housing beneficiaries at risk.
Party MPL Chantel King said the potential exposure of personal records threatened the accuracy of the Housing Needs Register and privacy of vulnerable families.
“It also deepens public mistrust in the integrity of beneficiary lists.
“The breach highlights how exposed critical systems have become due to years of underinvestment in ICT.”
The party urged human settlements MEC Siphokazi Lusithi to provide an immediate and comprehensive briefing to the portfolio committee.
Daily Dispatch
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.