The Government Employees Pension Fund (GEPF) is investigating an alleged data breach at its administrator, the Government Pensions Administration Agency (GPAA).
The GEPF said on Tuesday it was notified by the GPAA of an attempt to access the administrator’s systems on 16 February. At that stage, it was informed that no data breach had occurred. The GPAA subsequently established this was an attempt by the ransomware group LockBit.
On 12 March, following the release of “certain GPAA data” by LockBit on Monday, the GEPF was informed by the GPAA that preliminary investigations found that “certain GPAA systems were compromised”, the GEPF said.
The GPAA manages the money within the GEPF, the largest pension fund in Africa, administering the pensions of about 1.7 million government employees and pensioners, as well as their spouses and dependants.
The GPAA is investigating the alleged data breach and whether it impacts the GEPF. It said pension payments have not been affected by the purported data breach.
The GPAA said preventative action was taken when it became aware of the attempted access to its systems, which included shutting down all systems to isolate affected areas.
The GEPF said it was engaging with the GPAA and its oversight authority, National Treasury, to establish the veracity and impact of the reported data breach and will provide an update in due course.
MyBroadband reported on Monday that LockBit claims it has released a 668 gigabyte archive it says contains data it stole from the GPAA.
“LockBit set a deadline of 11 March 2024 for the GPAA to pay its extortion demand or face having its stolen data released on the dark web. As proof that it had exfiltrated valuable data, the group posted a sample on its dark web site, which included scans of at least one senior government official’s passport. It appears that the GPAA refused to pay the ransom,” the report said.
According to MyBroadband, LockBit is a cybercriminal group that sells ransomware as a service (RaaS) software that threat actors can buy to carry out attacks. These attacks encrypt the victim’s data to demand a ransom. Additionally, they may steal data before encrypting it and threaten to leak it publicly if their demands are not met.
“The group had established itself as among the most prolific in 2022, and it is estimated that it was responsible for 44% of all ransomware attacks globally in 2023,” the website said.
Another technology news website, The Record, quoted Don Smith, the vice-president of threat research at Secureworks CTU, as saying: “In a highly competitive and cutthroat marketplace, LockBit rose to become the most prolific and dominant ransomware operator. It approached ransomware as a global business opportunity and aligned its operations accordingly, scaling through affiliates at a rate that simply dwarfed other operations.”
The Record reported last month that LockBit’s website was seized on 19 February as part of a law enforcement operation that involved the UK’s National Crime Agency, the Federal Bureau of Investigation in the US, Europol, and several international police agencies.
The seizure of LockBit’s website raises the questions around the group’s involvement in the attack on the GPAA and its claims to have dumped data on the dark web.
The Record quoted cybersecurity expert Valéry Rieß-Marchive as saying that LockBit might be making new posts to maintain the appearance that it is still active, but it is hawking data stolen during attacks conducted before the takedown operation.