South African man imprisoned after ransom demand against his former employer

A South African court has given a man an eight year prison sentence after finding him guilty of holding his former employer to ransom, after breaching its security.

36-year-old Lucky Majangandile Erasmus was convicted of 17 charges related to the attempted extortion of payment service provider Ecentric Payment Systems, in what has been described as a landmark case.

In a press release South African police described how Erasmus and a company insider installed software without authorisation on Ecentric’s systems which granted them remote access, enabling them to steal sensitive data and make unauthorised changes to senior managers’ passwords.

On 14 November 2023, Ecentric’s CEO received an email describing various aspects of the company’s IT infrastructure, and was told that if a ransom demand of US $534,260 was not paid within 16 hours stolen data would be shared with the firm’s competitors, regulators and other parties. The email was followed by social media posts attempting to expose the data breach at Ecentric.

At the end of November 2023, another ransom demand was made – this time demanding one million dollars.

Ecentric chose to keep its cool and did not pay any money to its extortionists. As a result of the attack four of the company’s clients are said to have made losses totalling R 794 808.51 (approximately US $212,000.)

Erasmus and his co-accused, 43-year-old Felix Unathi Pupu, were arrested on 14 December 2023 and have been held in custody ever since.

Erasmus entered into a plea agreement with the authorities, which found him guilty of:

• Theft of data
• Attempted cyber extortion
• Cyber fraud
• Unlawful access to computer systems
• Use of unauthorised software or hardware tools
• Interference with networks, data, and storage media
• Unauthorised password resetting

Bellville Specialised Commercial Crimes Court sentenced Erasmus to eight years in prison, with three years suspended for five years – effectively meaning he will spend five years in jail. He has also been declared unfit to possess a firearm.

Erasmus’s conviction is one of the first publicly reported under legislation introduced in 2021, designed to address the rising threat of cybercrime in South Africa.

Pupu is due to appear in court later this month.

All organisations would be wise to take great care about defending their networks from intrusion, recognising the threats that can be posed by both former and current staff if appropriate steps to ensure protection are not taken.