R1.6 Billion Missing After Hackers Ran Free Inside Major South African Metro’s Systems

South African municipalities are increasingly targeted by sophisticated cybercriminals, and the Ekurhuleni incident illustrates how a single vulnerability can cascade into billions of rands in losses. The attackers leveraged an open Wi‑Fi hotspot at a municipal licence station to gain VPN credentials, a tactic that bypasses traditional perimeter defenses. Once inside, they manipulated billing accounts, erased debts and generated fraudulent invoices, exploiting the city’s reliance on legacy financial software and fragmented security policies.

The breach also revealed a troubling insider component. Former consultants and ICT staff deliberately disabled night‑time monitoring and created firewall loopholes, allowing the intrusion to persist undetected for months. Such collusion amplifies the impact of technical flaws, turning a preventable breach into a systemic fraud. For public entities, this highlights the need for robust access controls, continuous monitoring, and strict segregation of duties, especially where financial data and payment processes intersect.

In response, Ekurhuleni partnered with the State Security Agency to establish a 24/7 security operations centre, deploy advanced endpoint protection, and implement tamper‑proof transaction logs. The shift to the Central Supplier Database for invoicing eliminates manual banking updates, reducing the attack surface. These measures serve as a blueprint for other municipalities seeking to harden their digital infrastructure, emphasizing proactive threat hunting, regular penetration testing, and comprehensive employee vetting to safeguard public finances.