Two information-technology-savvy brothers have discovered serious flaws in the National Student Financial Aid Scheme's ICT system, potentially exposing millions of students' personal details, including bank accounts, to scammers. The vulnerabilities allowed access to sensitive messages, one-time pins, and even administrative functions like altering funding. NSFAS has since patched the most critical issues after being alerted.
Connor Bettridge, a computer science student at Varsity College in Cape Town, stumbled upon the issues while assisting with an NSFAS funding application. He accessed the portal's communication page and viewed students' addresses, gender, income, and bank details. His older brother, Jordan Bettridge, who works in insurance technology, investigated further.
Jordan described how the system allowed anyone to access all SMSes and emails sent by NSFAS since 2022, including one-time pins and personal information for between half a million and a million applicants. 'It wasn’t difficult at all. You could write a script in 20 minutes that literally pulls every single SMS and email,' he said. By examining the website's code, Jordan found unsecured API endpoints for the admin dashboard, enabling actions such as declining funding requests, changing banking details, or withdrawing active funding.
These flaws build on NSFAS's ongoing ICT problems, including payment backlogs and manual processes that have caused student hardships. In 2024, former administrator Freeman Nomvalo warned a parliamentary committee that the systems were vulnerable to cyberattacks, noting risks to student information.
Jordan highlighted potential consequences: fraudsters could redirect funding to their own accounts or sell leaked data on the dark web. The brothers first tried contacting NSFAS directly but received no response. They then reached out via MyBroadband, alerting the media team and acting CEO Waseem Carrim, who confirmed the issues were addressed.
NSFAS issued a statement acknowledging that logged-in users could view all system-generated messages, including OTPs, and that certain API endpoints were insecure, allowing admin actions like withdrawing appeals. 'NSFAS became aware of a potential security weakness and immediately activated its information security and incident management protocols,' it read. The agency strengthened access controls and enhanced monitoring but did not address accountability for the system's setup.
This incident echoes a 2024 case where Stellenbosch University students exposed fraud vulnerabilities in the SASSA grant system, prompting a parliamentary probe.
