Ransomware group dumps massive collection of government employee data online

Ransomware group LockBit has added South Africa’s Government Pensions Administration Agency (GPAA) to its victim list.

LockBit set a deadline of 11 March 2024 for the GPAA to pay its extortion demand or face having its stolen data released on the dark web.

As proof that it had exfiltrated valuable data, the group posted a sample on its dark web site, which included scans of at least one senior government official’s passport.

It appears that the GPAA refused to pay the ransom, as LockBit has released a 668GB archive it says contains data it stole from the agency.

LockBit is a cybercriminal group that sells ransomware as a service (RaaS) software that threat actors can buy to carry out attacks.

These attacks encrypt the victim’s data to demand a ransom and threaten. Additionally, they may steal data before encrypting it and threaten to leak it publicly if their demands aren’t met.

The group had established itself as among the most prolific in 2022, and it is estimated that it was responsible for 44% of all ransomware attacks globally in 2023.

MyBroadband reported on a security breach at the Government Employees Pension Find (GEPF) in February 2024 when an unauthorised party attempted to access its systems.

The GEPF told MyBroadband that its administrator (the GPAA) had shut down its systems to isolate the breach.

“There was no outage. However, the systems were shut down by our administrator (GPAA) as a security measure due to an attempt to gain unauthorised access to our systems,” it said.

“It is important to note that this system shutdown did not compromise our data nor affect payments to be made to pensioners.”

However, at the time, an anonymous source told MyBroadband that no payments had been made since 12 February 2024.

“They are not even doing applications manually. No payments have happened since 12 February,” they said.

“The self-service site and call centre are still down this morning (Wednesday, 21 February 2024).”

However, the GEPF released a statement later that said its offices and call centre were operational again and reiterated that no payments were affected.

“No payments were affected by this incident, and pensioners and members will receive their benefits as per their usual payment dates,” it said.

There was some confusion over the cause of the downtime, with the GEPF issuing wildly differing notices between 14 and 19 February.

The first notice said the GEPF call centre and its walk-in centre in Sunnyside, Pretoria, were closed due to technical issues.

Then, the following day, it said the centres had been closed due to a burst pipe disrupting the water supply to its office buildings.

“Normal work operations will resume tomorrow, 16 February 2024,” it added. “Kindly note that all the other GEPF offices and walk-in centres remain open to the public.”

However, its reasoning for the outage changed again on Friday, 16 February, when it notified the public that the GPAA’s systems were offline.

“GPAA is unable to assist clients at our regional offices, call centre, mobile offices, and co-locations with pension administration queries,” it said.

It urged clients not to visit GEPF offices nationwide until it informs its members that the systems are fully online.

In a further update, it revealed that it had experienced an attempt to gain unauthorised access to its systems and shut them down to isolate the breach.

“The incident required GPAA, as part of their security measures to shut down all systems to isolate affected areas and prevent any breaches,” the GEPF said.

“After the shutting down of systems, the GPAA immediately embarked on a process to restore systems and prevent any incidents.”

It also emphasised that its members’ personal information was safe.

Given LockBit’s data dump today, this appears to have been wishful thinking on the GEPF’s part.