Wild goats and open gates: government’s websites are asking to be hacked | GroundUp
-->
Skip to main content
location
republish
phone
search
rss
youtube
copyright
creative-commons
-->
menu
cross
share
home
creative-commons
Search
Wild goats and open gates: government’s websites are asking to be hacked
Government websites outside SITA’s network carry more than 4,400 security flaws. One in every five servers is vulnerable (part 2 of 4)
11 June 2026
| By Joel Cedras and Nathan Geffen
News
South Africa
Share
Add GroundUp on Google
Whether managed by the State Information Technology Agency, internally or by third parties, government public-facing servers are plagued with insecurities. Illustration: Lisa Nelson
Government websites are insecure and a mess. The Constitution says that officials must provide us, the public, with “timely, accessible and accurate information”. The way that is done in the modern world is through websites.
But the gov.za websites are highly insecure. They are vulnerable to viruses and ransomware. There have been many reports of the state’s systems being penetrated by hackers.
We previously reported that the State Information Technology Agency (SITA), the body responsible for much of the state’s computer systems including websites, has more than 5,000 known security flaws across its public-facing network on the internet.
We have now examined the government websites and services outside of SITA’s network, using the same industry tool. These internet services are scattered across Telkom, Vodacom, MTN, Microsoft Azure, municipal servers, private hosting companies, and more. Some appear to be managed by government departments themselves. Some appear to have been built years ago by whoever was cheapest (or most expensive) at the time, and not meaningfully touched since.
Read our four-part series on government websites
The state says its computer systems are secure. They’re not!
Government’s websites are asking to be hacked
Do you need something from a government website? Good luck!
How to fix government’s websites
It is not just SITA’s network that is plagued with vulnerabilities; it is the entire government network.
SITA’s network has about 1,100 public-facing systems, of which one in seven carries a known security vulnerability. The non-SITA government internet, which is smaller (516 systems), has one in five hosts vulnerable. The network is less than half the size, yet has nearly as many critical security flaws.
When we reported that SITA’s oldest unfixed security flaw dates back to 2006, we expected that to be a low-point. But we have found that the non-SITA government internet has about 36 systems with vulnerabilities first documented in 2007: the year the iPhone launched and South Africa won the Rugby World Cup in Paris, and apparently the last year anyone updated these systems. All 36 systems carry exactly the same 15 severe vulnerabilities (some with more).
One of the worst examples comes from Amathole District Municipality in the Eastern Cape. One of its servers, hosted in a Microsoft data centre, carries over 353 known security vulnerabilities, of which 94 are rated “critical”. (Just to be clear: it is absolutely NOT Microsoft’s responsibility to fix this; it is the municipality’s responsibility.) To give you a sense of how bad this is, SITA’s entire network of more than a thousand systems has 125 unique critical flaws in total. This municipality has managed to accumulate 75% of that on a single server. In a strange way, it is quite impressive.
Witzenberg Municipality in the Western Cape matches that almost exactly: 347 vulnerabilities, 94 of which are critical, on one website. It runs the same software as Amathole – Apache 2.4.7 on Ubuntu 14.04. Ubuntu is an operating system, akin to Windows. Ubuntu names each new version after animals, and version 14 got the name “Trusty Tahr”. A tahr is a type of wild goat (you can see them on Table Mountain). This version has not been trustworthy since April 2019*, when support for it ended. The operating system has been accumulating unaddressed security flaws for over seven years.
Who is in charge?
SITA’s network, for all its flaws, has a network space with predefined addresses, and one body at least partially responsible for it. But the non-SITA government internet has no equivalent. It is distributed across more than fifteen distinct hosting providers, and there is no single entity that has the mandate (or the inclination) to coordinate security across all of them.
What happens when something needs fixing? Well, it depends on who built the system, when last they were paid, and whether they are still in business.
The agriculture department has a server carrying 152 known vulnerabilities of which 37 are critical. The server is not hosted on the SITA network, but by Dimension Data (one of SA’s largest, most reputable IT companies). That does not mean that it...