Two brothers who are interested in IT have discovered serious flaws and vulnerabilities in NSFAS’ problematic Information and Communication Technology system that could have exposed millions of students’ personal data, including bank account details, to manipulation by scammers. Two information-technology-savvy brothers, Conner and Jordan Bettridge, have discovered serious flaws and vulnerabilities in the National Student Financial Aid Scheme’s (NSFAS) problematic Information and Communication Technology (ICT) system that could have exposed millions of students’ personal data, including bank accounts, that potential scammers could have gained access to and manipulated to their benefit. This came after Connor, the younger brother, who is studying Computer Science at Varsity College in Cape Town, accessed the NSFAS portal while helping someone with a funding application.
Gaining access to the communication page, Connor said that he saw students’ details, addresses, gender and income, including bank accounts. Daily Maverick spoke to the older brother, Jordan, who works full-time at an insurance technology company. Jordan said his brother asked him to do more digging on the issue.
“The found vulnerability was where you could gain access to any SMSes and emails that were sent out by the NSFAS system, so any time an applicant or a staff member or anyone logs in, you can see their one-time pins, you can see them signing up, you can see all of their personal information, like their ID numbers… It wasn’t difficult at all. You could write a script in 20 minutes that literally pulls every single SMS and email that the NSFAS system has sent, along with all the person’s information going all the way back to 2022. There were probably somewhere between half a million and a million applicants,” said Jordan.
Read Full Article on Daily Maverick
[paywall]
Daily Maverick has extensively covered NSFAS’ chronic ICT system failures, highlighting issues like payment backlogs, tech woes and manual processes, leading to student anxiety, accommodation crises and demands for accountability from MPs. “Some of the things we have picked is that it is possible that information relating to students could be vulnerable to abuse.” Some of these vulnerabilities, according to Jordan, could lead “a person to change banking details of students to their own banking details. NSFAS will pay them all of the funding that’s supposed to go to those students… I mean, if they can do anything from something as simple as, like, quite often on the dark web, you’ll find people selling data leaks, so some data broker will go, and they’ll condense all of this information about everyone, and they’ll sell it to the highest bidder,” said Bettridge.
After this major discovery, both brothers tried to contact NSFAS to act promptly on this issue of flaws. According to Jordan, he tried to get in contact with NSFAS via the call centre; however, he did not get through to anyone.
[/paywall]
