R1bn phantom lease scandal hits agency that misled on cyber breach
Key topics:
Parliament probes GPAA over R1bn lease for non-existent building
GPAA faces backlash after massive LockBit ransomware data breach
168,000 pensioners' sensitive data exposed in cyberattack
Sign up for your early morning brew of the BizNews Insider to keep you up to speed with the content that matters. The newsletter will land in your inbox at 5:30am weekdays. Register here.
Support South Africa’s bastion of independent journalism, offering balanced insights on investments, business, and the political economy, by joining BizNews Premium. Register here.
If you prefer WhatsApp for updates, sign up for the BizNews channel here.
The Parliamentary Portfolio Committee on Public Service and Administration has summoned the Government Pensions Administration Agency (GPAA) to answer questions about an alleged R1-billion lease for a non-existent building.
This follows reports in News24 about the alleged irregular procurement through a fictitious agreement to lease a building for its headquarters for the next 10 years.
According to the reports, the GPAA has already paid R62.6 million, with a further R270 million committed for two contractors to renovate offices that they do not have rights or access to.
“The committee will require full disclosure of all documentation and decision-making processes that led to the conclusion of the agreement,” said chairman Jan de Villiers.
“The allegations are extremely serious. It points to potential financial misconduct and a possible breach of fiduciary duties to pensioners and the public. As a committee, we must ensure accountability and prevent any recurrence.”
Finance minister Enoch Godongwana has also said he would launch an investigation into the allegations, adding that every effort to ensure complete transparency and accountability must be welcomed.
The GPAA is a government agency that administers funds for the Government Employees Pension Fund (GEPF), serving 1.7 million employees and pensioners.
In February 2024, the GPAA was the victim of a ransomware attack. The LockBit ransomware gang would later claim responsibility for the breach.
Initially, the GPAA assured that no data was compromised and that pensioner payments were unaffected. However, an anonymous source told MyBroadband that no payments had been made for a week before the disclosure.
As a result of the GPAA’s assurances, the GEPF posted notices on its website informing pensioners that their benefits and personal information were safe, and that the administration system had not been compromised.
However, following the GPAA’s denials, LockBit dumped a 668GB archive that contained data it claimed to have stolen from the agency.
LockBit was a cybercriminal group that sold ransomware-as-a-service (RaaS) software. Threat actors could buy LockBit’s software to carry out their attacks.
Ransomware attacks encrypt the victim’s data to extort them to pay for a decryption key, which may or may not exist.
Additionally, they may steal data before encrypting it and threaten to leak it publicly if their demands aren’t met.
LockBit established itself as one of the most prolific ransomware groups during 2022. In 2023, the group was estimated to be responsible for 44% of all ransomware attacks globally.
Interpol said in its most recent African Cyberthreat Assessment Report, published in May 2025, that LockBit was one of the most prominent hacker groups operating in the region.
“LockBit is known for its aggressive double-extortion methods, encrypting victims’ networks while threatening to publish stolen data,” Interpol stated.
In February 2024, law enforcement agencies seized control of LockBit’s dark web sites, which were used for attacks. However, further attacks with LockBit ransomware were later reported, and the group attempted a comeback.
Read more:
In May 2025, LockBit’s infrastructure was breached and defaced. Data exfiltrated from its systems included Bitcoin wallet addresses, public encryption keys, internal chat logs with victims, affiliate details, and other sensitive information.
GPAA gave false information
Following MyBroadband’s report on 11 March 2024 that LockBit had leaked the 668GB archive on its website on the dark web, the GEPF issued a strongly worded statement in which it said it was “extremely concerned” by the breach.
“The GEPF was informed by GPAA that no data breach had occurred when it was notified of an attempt to gain access to GPAA systems by unknown individuals on 16 February 2024,” the GEPF said.
“This morning, 12 March 2024, following the release of certain GPAA data by LockBit, the GEPF has been informed by GPAA that preliminary investigations found that certain GPAA systems were compromised.”
The pension fund said the GPAA had informed it that it was investigating the alleged data breach and whether it impacted the GEPF.
“GPAA has reconfirmed that preventative action was taken when it became aware of the attempted access to its systems, which included shutting down all systems to isolate affected areas,” the GEPF stated.
“GPAA further confirmed that pension payments are not affected.”
Months after this statement, government pension fund systems remained offline. Government employees reported that they could not log into the GEPF website or smartphone app to verify the value of their pensions.
Visiting the GEPF website still results in a warning being displayed to pensioners about the cyberattack, saying their personal information may have been compromised.
According to the notice, the data exposed in the breach was extensive and affected approximately 168,000 data subjects. It assured that all impacted data subjects were individually notified.
The GEPF said people’s full names, ID numbers, pension numbers, employee numbers, gender, salary, marital certificates, death certificates, banking details, tax numbers, and their spouses’ data were exposed.
This article was first published by MyBroadband and is republished with permission