The South African Postbank is to spend R400-million over the next three years to upgrade and modernise its IT systems. This follows the state-owned entity losing more than R18-million over a three-month period to cybercrime attacks.

On Tuesday, Postbank CEO Lucas Ndala told parliament’s portfolio committee on communications that it had “a number of cyber fraud incidents – most of them relating to the Sassa beneficiary grant payment system”.

Ndala said the Postbank IT system had been flagged by the auditor-general for having “control weaknesses”.

“There has been a concerted effort to address these system deficiencies since the grant system was ceded to Postbank in 2021. A lot of these weaknesses come from the system itself because it came with a number of flaws that needed to be addressed over time,” Ndala said.

In response to a question from DA MP Dianne Kohler Barnard on the total cost of the IT update, Ndala said: “The total cost approved is just around R400-million. This will be funded from Postbank resources. The modernisation will be over a three-year period.”

He said the accounts of 141 grant beneficiaries were hit in a cyberattack in August. The state-owned entity lost R5.8-million in this incident.

The second incident happened in September, also involving accounts receiving social grants on behalf of children. Ndala said the Postbank’s fraud risk team discovered that some of these accounts were fraudulent, and, as a preventative measure, these were blocked.

However, the blocking was “not done properly”, said Ndala. “Anyone could unblock them within our branch network,” he said. Postbank lost about R4-million in this incident.

In October 2022, Ndala said the Postbank banking system suffered another cybercrime attack and lost about R9-million.

Earlier this year it was revealed that the Postbank had suffered a loss of at least R90-million in cybercrime attacks in October 2021.

Ndala told MPs that Postbank is on the same IT network as the South African Post Office. One of the requirements when Postbank applied for a banking licence from the Reserve Bank was that it needed its own “standalone IT environment that cannot be impacted by the risks from the Post Office”.

Ndala said the report on a forensic audit into the recent cybercrime incidents is expected to be released in December, while the second part of the report is expected in February 2023.

Nonkqubela Jordan-Dyani, acting director-general in the department of communications & digital technologies, said: “There needs to be consequence management because these are public funds and funds that belong to Postbank. We need to make sure that all those responsible are held accountable.

“The Hawks will guide us in their process, and from our side, we are intending that the report will be tabled to cabinet,” said Jordan-Dyani.

Postbank did not respond to questions about whether payments to social grant beneficiaries were affected or how it had covered the losses.