Cyber Incident Victim: Department of Justice and Constitutional Development

On or around April 6, 2023, cyber criminals successfully breached the systems of the Department of Justice’s Guardian’s Fund, which is administered by the master of the high court. The attackers targeted the fund’s offices in KwaZulu-Natal and the Free State, ultimately making off with R18 million. The specific method of the breach was not detailed, but the theft was executed via unauthorized financial transactions. This security incident was not discovered or reported until five days after the theft occurred on April 11, 2023, indicating a significant delay in detection capabilities. As a direct consequence of the discovered breach, the Department of Justice suspended all payments from the affected Guardian’s Fund offices pending the outcome of an investigation. This suspension directly impacted beneficiaries who rely on the fund, which is designed to manage money on behalf of individuals legally incapable of managing their own affairs, such as minors, unborn heirs, and missing persons.

The department confirmed the cyberattack and initiated a multi-agency investigation involving the Hawks, a specialized South African police unit, the Financial Intelligence Centre, and an internal forensic team. A departmental spokesperson, Stephans Mahlangu, publicly addressed the incident, stating that the department views cybersecurity as a strategic concern and has invested in initiatives to strengthen its defensive controls. These stated investments included the renewal of IT infrastructure, contracting external skills and expertise, establishing processes to uncover vulnerabilities, and conducting regular cybersecurity awareness training for staff. The spokesperson refuted claims that the department was unable to secure itself, instead characterizing the incident as part of a broader challenge faced by all organizations operating in the cyber realm, which are confronted with constantly evolving and sophisticated threats that often outpace existing protective measures.

This April 2023 incident represented the third major cyber breach suffered by the Department of Justice within a three-year period. An apparently identical attack occurred in September 2020, wherein thieves siphoned R10 million from the department in 11 separate transactions. A subsequent and more disruptive attack took place a year later in 2021, when the department’s entire IT system was encrypted, locking out officials and members of the public. This encryption attack severely disrupted court operations, the processing of maintenance payments, and the functioning of the master’s office, which is responsible for processing deceased estates. The Guardian’s Fund itself held substantial reserves, with its annual financial statements for the 2022 financial year showing just over R17 billion in reserves invested with the Public Investment Corporation, making it a high-value target for financially motivated threat actors.

The recent breach occurred against a backdrop of regulatory scrutiny. Earlier in April 2023, the information regulator had reportedly found the Department of Justice guilty of negligence for failing to prevent a prior data breach that resulted in the loss of approximately 1,204 sensitive files. The regulator’s investigation concluded that the department had not taken adequate steps to safeguard its IT systems against hackers. A specific finding was that the breach would have been prevented if the department had renewed its security incident and event monitoring (SIEM) and intrusion detection system licenses, which had apparently expired in 2020. The regulator’s spokesperson stated that had these licenses been active, the department would have received alerts about suspicious activities from unauthorized persons and been able to monitor unusual network activity, potentially preventing the loss of files. As a corrective measure, the information regulator served the department with an enforcement notice, ordering it to renew the expired software licenses and to take disciplinary action against implicated officials within 31 days.

The impacts of the April 2023 attack were both financial and operational. The direct financial loss was R18 million stolen from the fund. Operationally, the suspension of payments from the affected offices created hardship for the beneficiaries, described internally as "poor orphans," who had no immediate alternative for receiving their funds. An internal departmental insider expressed skepticism about the official explanation, suggesting the possibility of an inside job given that the theft occurred from the same account and in the same manner as the previous incident in 2020. The insider also noted a lack of internal communication and planning regarding the suspended payments. The department's public response emphasized its implementation of a layered range of cybersecurity controls, including administrative and technical measures such as policies, procedures, access controls, malware protection, intrusion detection systems, and network monitoring. The department asserted these controls are regularly monitored, tested, and audited by external parties to ensure their effectiveness.

External commentary from cybersecurity firm Scarybyte provided context on the broader threat landscape facing government infrastructure in South Africa. The firm, which had recently assisted Postbank in addressing cyber vulnerabilities that led to a R150 million loss, stated that government entities often face severe cyberattacks. The firm's CEO noted that the digital landscape requires a dynamic approach to cybersecurity encompassing technology, skilled personnel, and robust procedures. He stated that the repeated breaches at the Department of Justice indicated that their cybersecurity measures may need bolstering and that given the nature of the repeated attacks, the involvement of insiders could not be ruled out, emphasizing the need for a comprehensive security approach that considers both external and internal threats. The department's planned resumption of payments from the affected Guardian’s Fund offices was announced for June 1, 2023, nearly two months after the attack and the subsequent suspension of services.