The GEPF’s operator, the Government Pensions Administration Agency (GPAA), had experienced a cyber-attack on the 16th February 2024, where criminals launched a ransomware attack on some of the GPAA’s systems. The investigation of the incident found that certain data folders may have been compromised. This data could include your personal information, which GPAA stores as part of its processes to manage pension benefits on behalf of the GEPF. Data subjects were notified of the security breach and potential compromise of personal information on 20 March 2024 furthermore, the security compromise was reported to the relevant authorities, entities and Information Regulator for further investigations, support and transparency.
Approximately, 168000 data subjects records were accessed as the result of the cyber-attack. The affected records are limited to names, surnames, ID numbers, pension numbers, employee numbers, gender, spouse’s information, salary information, marital certi cates, death certi cates, banking details, and tax numbers. Unauthorised access to this information could lead to criminals impersonating the data subjects.
We apologise for any inconvenience caused and assure you that every reasonable step has been taken to ensure that all GEPF/GPAA systems and platforms are safe and protected from unauthorised and unlawful access. As a precautionary measure, we urge you to follow these security tips:
1. Verify requests for personal information and on respond when necessary.
2. Do not share your passwords or PINs over the phone, fax, social media, text, WhatsApp, or email.
3. Use unique passwords for different accounts and change them regularly.
4. Install and update antivirus software to scan your devices for malware.
5. Avoid clicking on suspicious links or responding to unusual messages.
6. Monitor your bank accounts and credit reports for unusual activity.
The GEPF has ensured that ICT systems are updated to harden security controls and patched with the latest supported versions. These updates include user and privileged access management to reduce the risk of unauthorised access. The implementation of next-generation firewalls ensures robust perimeter security, resulting in decreased potential external threats. Patch management on server infrastructure and workstations is in place and monitored. Reliable antivirus solutions have been deployed in the environment, with the required encryption of endpoint devices.
The final controls for implementation will include the finalisation of deployment of a Security Operations Centre and network monitoring solutions. These solutions will allow continuous monitoring and reporting on threats and suspicious activity on the networks, systems, and applications used in the administration. The network infrastructure will also be upgraded to ensure further security controls are available to the administration.
The GEPF/GPAA remains committed to protecting your personal information. Data subjects were notified of the security breach and potential compromise of personal information on 20 March 2024 through a media statement of the websites of both GEPF and GPAA, additional to that, an updated media statement was published in September 2024 following an investigation into the breach.
The GEPF/GPAA have placed all notifications of the breach incident on www.gepf.co.za and www.gpaa.gov.za respectively, detailing the security compromise as per Section 22 of Protection of Personal Information Act, 4 of 2013 (“POPIA”). Further, the GEPF/GPAA will proceed to inform the data subjects should there be any updates relating to the breach. Kindly contact the offices of the GEPF/GPAA for reporting any suspicious activities which might berelated to the breach.
Issued by the Government Employees Pension Fund
