The National Student Financial Aid Scheme (NSFAS) is taking measures to fortify its IT systems, after cyber criminals tried to gain unauthorised access to its payment infrastructure and that of its fintech partners.
This is according to NSFAS board chairperson Ernest Khosa, speaking this week during a media briefing held with higher education, science and innovation minister Dr Blade Nzimande.
Last month, NSFAS issued a warning, urging students to be vigilant when using online allowance payment platforms, after criminals tried to gain access to its payment systems.
In a media briefing at that time, Khosa expressed concern after rising levels of targeted attacks on the student aid scheme’s payment partner companies, as hackers repeatedly tried to gain control of sensitive student data.
The attacks had targeted the websites where beneficiaries’ accounts were hosted.
Following the incident, NSFAS asked law enforcement agencies to open an investigation into the matter, to determine the cause and source of the attack.
Providing an update on the investigation this week, Khosa explained the prevention of cyber attacks on the organisation was a key directive that Nzimande gave the board during a recent meeting.
“The minister said we need to ensure our IT system responds to the challenges we are currently facing, and ensure it is safe and in line with accepted standards to safely service our main client-base, who are the students.
“The IT sub-committee has also discovered a number of weaknesses in our IT system. There are people who are not supposed to access it who are accessing it. In this case, we took two actions. The first one was to report the incident to the law enforcement agencies. The other action was to procure expertise to assist us to ensure our IT system is much safer,” said Khoza.
NSFAS runs close to a R50 billion annual budget, which services young people from poor and working-class backgrounds, according to the Department of Higher Education and Training.
The investigation also identified malicious sites that mimic the official NSFAS student portals, and the aid scheme has since advised students to be on the look-out for them, he noted.
Through its cyber security and risk department, NSFAS says it continues to monitor the internet network for suspicious and malicious sites that mimic its official portals in order to harvest students’ credentials to hijack their accounts.
NSFAS has, over the years, been faced with a number of challenges, including IT system failures and mismanagement within the scheme.
The targeted attacks come several months after preliminary findings of an investigation conducted by the Special Investigating Unit (SIU) identified flaws and weaknesses in the scheme’s IT systems.
ITWeb previously reportedon the findings, which reveal system vulnerabilities resulted in overpayments, underpayments and payments to ‘ghost students’ over the years.
The SIU uncovered that the scheme incorrectly funded some 40 000 non-qualifying students to the tune of more than R5.1 billion, from 2017 to date.
The investigation further found ongoing corruption and maladministration at the organisation, noting NSFAS failed to design and implement strong controls to ensure there is an annual reconciliation between the funds disbursed to the institutions and the allocation of those funds to the students.
Providing an update during this week’s briefing on how the entity has been trying to resolve some of these issues, Nzimande highlighted the importance of NSFAS collaborating with government agencies to identify non-qualifying students.
Nzimande said the scheme is working closely with the South African Social Security Agency, South African Revenue Service (SARS) and the Department of Home Affairs to verify information submitted by students applying for funding.
According to Nzimande, a report from the NSFAS board shows 45 927 students were correctly or erroneously disqualified for funding due to processing gaps, which fall under three broad categories: hybrid applications, missing parental relationships and latency data from the Higher Education Information Management System.
Hybrid applications are continuing students who applied, while missing parental relationships applications are first-time entering students, who were previously funded and later rejected because of additional parental relationships that were verified, based on additional information sourced from government agencies.
On hybrid applications, Nzimande said, the report shows that about 14 703 records were continuing students who applied erroneously because of migrating from the old to the new system. In some instances, students panicked because they did not see their funding status and again applied for funding.
“I can confirm that all these students are now funded. The balance of 31 224 students remain not funded and this is due to the assessment of financial eligibility, as NSFAS continues to pick up additional parental relationships and academic ineligibility,” he explained.
On the missing parental relationships, Nzimande noted some students had initially declared one parent or the “incorrect” parent, who was not picked up by the Department of Home Affairs, and as such, a decision was made to initially fund the student.
“However, based on review of this trend, through a relationship matrix that is built internally at NSFAS, we established additional parental relationship of students. This was exposed to SARS verification, and SARS came with the feedback that the combined family income of these families exceeds the threshold. This led to the discontinuation of funding for some of the students.”
Nzimande further noted NSFAS received a total of 178 426 appeals from students due to the disqualifications, and these include 63 331 appeals that were approved and 8 528 that were rejected.