The Warning That Went Unheeded
During the 2023/24 audit, the Auditor-General flagged the need for a network access control (NAC) system to strengthen controls over who and what can access the Gauteng Provincial Government network. The department never implemented it.
When pressed on the delay, MEC Bonginkosi Dhlamini acknowledged the AG’s recommendation but downplayed its urgency. He characterized the NAC system as an additional measure rather than a critical gap, claiming comprehensive cybersecurity controls were already in place. The real obstacle, the department said, was funding. The NAC system simply wasn’t budgeted for.
What Was Exposed
The breach hit the e-Recruitment system powering the Gauteng Government jobs portal. Attackers accessed personal information from 283 application forms. Here’s what was compromised:
- Curriculum vitae and educational qualifications
- Certified copies of South African identity documents
- Email addresses and phone numbers
- Proof of residence documentation
- Other contact details
For job applicants, this is precisely the kind of data identity thieves need to commit fraud. The sensitivity of the exposed material is what makes the breach particularly damaging.
How the Breach Happened
The department traced the breach to a compromised user account that had access for routine daily work but lacked privileged or administrator permissions. The jobs portal is intentionally open to the internet to allow remote applications, which creates inherent exposure but is necessary for public access.
Despite the breach, no additional security audits or penetration tests were conducted afterward. The department says it performs monthly vulnerability assessments and continuous system monitoring, which it considers sufficient oversight.
Political Pushback and Accountability
Michael Waters, Democratic Alliance spokesperson for e-Government, isn’t satisfied. He points out that the department knew about the network access control gap for over a year and did nothing to address it. Waters has formally asked the Auditor-General to investigate why the NAC recommendation wasn’t implemented during the current audit cycle.
The DA has also submitted additional questions to understand the real reason the NAC system remained unfunded. The political pressure reflects broader frustration about whether adequate resources are being allocated to cybersecurity across provincial departments.
The Larger Picture
This case illustrates a recurring challenge in government IT: recommendations made by auditors don’t always translate into action, especially when budget constraints are cited. Whether the funding issue was real or the priority was simply set elsewhere remains an open question that ongoing oversight should answer.
For the job applicants whose data was exposed, the department’s assurances about ongoing monitoring may offer little comfort.
Follow Hashlytics on Bluesky, LinkedIn, Telegram and X to Get Instant Updates



