The Department of Public Works and Infrastructure (DPWI) has turned to law enforcement agencies to investigate what it describes as a “Sage breach” of its payment system.
This came to light during a briefing by the department and the Special Investigating Unit (SIU) beforeParliament’s public works and infrastructure committee on Friday. The SIU was on hand to update the committee on all outstanding cases of alleged corruption within the DPWI.
The department provided information on the ICT security issues that resulted in fictitious payments, and loopholes for corruption and fraud.
The DPWI blamed finance, HR and payroll software provider Sage for its payment system troubles.
Prior to this, the department’s issues with Sage were flagged by portfolio committee chairperson Carol Phiri, alleging government funds were being lost through the system’s vulnerabilities, often resulting in late payments to service providers.
Sage Africa and Middle East responded to the allegations voiced during the briefing, saying it has full confidence in the security of its products, and pointing out that clients are responsible for managing their security infrastructure.
Shifting blame
Lwazi Mahlangu, deputy director-general (DDG) of the DPWI, told MPs that due to its lack of adequate technology, cyber criminals find opportunities to defraud the department.
His presentation claimed that the security breaches within the ICT environment might be due to inadequate system development, testing and implementation, including a possibility of collusion between DPWI officials and service providers.
Mahlangu said the DPWI payment system, which is provided by Sage, suffered a breach, which resulted in several fraudulent/unauthorised payments, resulting in significant financial losses.
“What we’ve done in terms of the ‘Sage breach’ since the incident, is that we’ve sought the support and services of the State Security Agency, which assisted in terms of the controls that are currently in place on how we limit, or minimise, the risk of exposure to those external vulnerabilities.
“We also have the Hawks from two divisions; namely, the Directorate of Priority Investigations to follow the money, which basically followed the banks, and some have been subpoenaed. The other one is the cyber security unit that deals with forensics, as well as testing of devices.”
From an internal investigation perspective, the department’s DDG said a forensic service provider has been appointed to investigate the breach of the payment system, to identify the role-players within the department who may have collaborated with external parties.
“As a result, the department has confiscated 39 work laptops of officials within the ICT and finance divisions.
“We processed these to look at the activities on those laptops and we found quite a bit of telling information. This discovery led to the suspension of four officials for a period of four to six months.
“Further to that, three people have been issued with representation letters, where they have to respond, and then further action will be taken on those with regard to the Sage matter.”
According to Mahlangu, parallel to that investigation is the day-to-day controls, including workstreams, an ICT steering committee and a crisis committee that sits daily to look at the controls and monitors the payments as they go through.
“Where we pick up red flags in relation to suspicious transactions, we’ll stop the process immediately and investigate the root cause and look at the controls that have been weakened.”
Responding to ITWeb’s request for comment, Sage says it’s aware of the external investigations into the DPWI, and the portfolio committee comments regarding the DPWI's use of Sage X3 software.
Says Pieter Bensch, executive vice-president and MD of Sage Africa and Middle East: “We take these comments very seriously and are committed to addressing them transparently and constructively with the DPWI, the authorities and other stakeholders, including business partners.
“The implementation of Sage X3 is a collaborative effort between Sage, its business partners and customers. For on-premises deployments, oversight and maintenance of the infrastructure are determined by the customer’s internal policies and resources.
“While Sage and its partners provide robust software and tailored implementation, the customer is responsible for managing their security infrastructure.
“We continue to have full confidence in the security of our products. We are unwavering in our commitment to delivering trusted, dependable solutions for all our customers and partners.”
Historical vulnerabilities
The DPWI is responsible for public infrastructure, as well as providing accommodation and property management services to all the other ministries of the South African government.
It also provides direction on the integration of public works priorities, contributing to job creation and poverty alleviation through its Expanded Public Works Programme (EPWP).
The department is no stranger to challenges and vulnerabilities regarding its ICT infrastructure, with recent revelations that cyber criminals looted R300 million from the DPWI in a 10-year period.
In 2018, the Gauteng Department of Infrastructure unveiled a biometrics system to help combat manipulation of processes within the EPWP.
It said too many crooks were benefiting from the EPWP, with loopholes often identified by the Auditor-General of SA.
In his opening remarks during the committee meeting, public works and infrastructure minister Dean Macpherson affirmed the department’s ongoing challenges, including the lack of ICT security measures and inefficiencies in the supply chain management process.
“It is these systematic weaknesses that create opportunities for not just unethical behaviour, but criminal behaviour as well,” he said.
“Because we want to be a solutions-oriented seventh administration, we are currently working on strengthening internal controls, particularly within supply chain and facilities management.
“We are also adopting a set of robust ICT security measures, including enhanced firewalls, system updates, as well as blacklisting service providers involved in alleged corrupt practices.”
Share