A major security catastrophe was narrowly averted thanks to the sharp eyes of a Cape Town university student. Connor Bettridge, a third-year student at Varsity College, discovered a critical vulnerability in the National Student Financial Aid Scheme (NSFAS) portal that could have exposed the sensitive personal data of every student who applied for funding since 2022.
The Discovery: A “Glaring” System Leak
The flaw was first spotted when Bettridge noticed a public-facing panel on the NSFAS portal that displayed every message sent by the system to its users. This included:
- One-Time PINs (OTPs): Sent to users for password resets.
- Administrative Alerts: Allowing potential attackers to see internal communications.
By “deobfuscating” the website’s JavaScript, Connor and his brother Jordan discovered that the API (Application Programming Interface) was almost entirely unsecured. This would have allowed an attacker to not only download student data but also take over administrator accounts to approve or reject funding applications.
What Was at Risk?
The extent of the data exposure was staggering. The vulnerability provided a potential “all-access pass” to the following information for millions of students:
- Full names, ID numbers, and home addresses.
- Financial records and household income levels.
- Disability status and Consumer Profile Bureau (CPB) codes.
- Contact details for both students and their parents.
The “White Hat” Struggle
Despite the severity of the find, the Bettridge brothers struggled to get NSFAS to listen. Fearing prosecution under the Cybercrimes Act if they performed a “proof-of-concept” hack, they instead tried to report the bug through official channels. They were “sent in circles” by NSFAS call centers until they reached out to MyBroadband, who eventually escalated the matter to the highest levels of the organization.
NSFAS Response and Legacy Issues
Waseem Carrim, the acting CEO of NSFAS, confirmed that the vulnerability has now been closed. The organization stated it has “strengthened access controls” and is reviewing system permissions to prevent a recurrence.
However, this incident highlights a long-standing warning. In August 2025, former board chair Karen Stander warned that the entity’s aging ICT systems were a ticking time bomb. This has prompted calls from Parliament’s Portfolio Committee for a forensic investigation into why millions in Treasury funds allocated for ICT upgrades failed to secure the system.
