The Gauteng Department of e-Government failed to implement a key Auditor-General (AG) recommendation to strengthen network access controls (NACs) before a data breach exposed sensitive personal information on the Gauteng government jobs portal.
The data breach affected the e-Recruitment system, specifically the Gauteng Government jobs portal.
The compromised information included 283 application forms, curriculum vitae, qualifications, certified copies of South African identity documents, contact details, including e-mail addresses and phone numbers, and proof of residence.
This information was revealed by Gauteng MEC for e-Government Bongikosi Dhlamini, in response to the Democratic Alliance’s (DA’s) questions tabled in the Gauteng Provincial Legislature.
Dhlamini confirmed that the AG raised concerns during the 2023/24 audit regarding the need to implement a NAC system.
According to Michael Waters, DA spokesperson for e-Government, this system aims to enhance controls over who and what can access the Gauteng Provincial Government network.
However, he says the department has now admitted the NAC system was not implemented because it remains unfunded.
No ‘critical deficiency’
According to Dhlamini, the AG first raised concerns over the implementation of a NAC system during the 2023/24 audit.
However, Dhlamini maintained the AG’s findings did not indicate an absence of cyber security controls, describing the NAC implementation as an additional recommendation rather than a critical deficiency.
“This was a recommendation from the AG to implement a NAC over and above the current cyber security environment that is already in place. There is already a comprehensive approach to cyber security within Gauteng Provincial Government. There is no need for interim measures,” he said.
Addressing the province’s response to the incident, Dhlamini said no additional cyber security audits or penetration tests had been conducted following the breach.
Instead, he said the Department of e-Government already performs monthly vulnerability assessments and continuously monitors its systems.
“The Department of e-Government continually provides vulnerability assessments monthly. There are regular sessions with the departments to manage vulnerabilities. The cyber security tools and Security Operations Centre operate 24x7x365. There has been no additional cyber security audits or penetration tests concluded after the recent reported isolated data leakage.”
The MEC also provided further information on the compromised account used in the breach.
“All user accounts have multi-factor authentication enabled. The source of the data leak was traced to the recruitment system (Jobs Portal). The compromised account did not have privileged or administrator access, but the role to perform daily duties,” he said.
The MEC further confirmed that the Jobs Portal is intentionally accessible over the internet, allowing applicants to submit job applications remotely.
Identity theft fears
However, Waters says the information that was breached is not minor. “These are the documents that expose applicants to identity theft, fraud and other forms of abuse if they fall into the wrong hands.
“The department insists that the breach was caused by a compromised user account rather than a technical vulnerability in the infrastructure. However, this does not change the fact that the AG had already warned the department to strengthen network access controls, and that they failed to implement the recommendation before the breach occurred.
“Even more concerning, the department has admitted that no additional cyber security audits or penetration tests were conducted after the reported data leak. This raises serious questions about whether the department has fully assessed the scale of the risk and whether Gauteng residents can trust that similar breaches will not happen again.”
Waters notes the DA Gauteng has written to the AG to request that the department’s failure to implement this recommendation be followed up on during the current audit cycle.
The DA will also submit further questions to determine why the NAC system was left unfunded despite the AG’s recommendation.
“We would know who decided not to prioritise funding for the system, and whether any official has been held accountable for the failure to implement the AG’s recommendations. Gauteng residents who submit personal information to government have a right to expect that their data will be protected. When government fails to act on Auditor-General warnings, it places ordinary residents at risk.
“The DA will continue to hold the department accountable until every outstanding cyber security recommendation is implemented and the public receives full transparency on how this breach was allowed to happen.”

