Eskom security team confirms an investigation is underway

A security researcher has taken to Twitter to flag a vulnerability in a database belonging to South Africa’s main electricity supplier, Eskom.

Writing on the social media platform yesterday, Devin Stokes said Eskom – a public utility that generates 95% of the electricity used in South Africa – was exposing customer information online.

“You don’t respond to several disclosure emails, email from journalistic entities, or Twitter DMs, but how about a public Tweet?” Stokes said to Eskom.

“This is going on for weeks here. You need to remove this data from the public view! You are unnecessarily exposing your customers data!”

Stokes provided redacted screenshots to demonstrate the severity of the disclosure, which is said to have included customer names, addresses, credit card and account information, and energy usage.

The screenshots included timestamps from yesterday (February 5), indicating that this is an ongoing issue.

The Daily Swig has reached out to Stokes for more details but has yet to receive a response.

Eskom’s allegedly poor security practices continued to be discussed online, however, as another Twitter user pointed out that the company purportedly had malware on one of its machines and, more importantly, had no formal point of contact in place with whom researchers could report such issues to.

Jon Bottarini, hacker and lead technical program manager for HackerOne, thinks this latest episode in vulnerability disclosure over Twitter highlights the need for organizations to do more for the researchers who are tasked with keeping our environment secure.

“Accidental breaches of this type further drive home the point that every company should have a formal process to accept vulnerability reports from external third parties,” he said.

“A Vulnerability Disclosure Policy or Security@ email is the best way to ensure that when someone sees something exposed, they can say something.”

Eskom, the largest producer of electricity throughout the African continent, told The Daily Swig over Facebook that its cybersecurity team was conducting an investigation.

The incident has also reiterated how South Africa currently has no adequate data protection legislation to provide consumers, like those with Eskom, with the basic safeguards when a breach occurs.

“I would say the Protection of Personal Information Act (POPIA) would have applied if it was fully in force,” said Lisa Emma-Iwuoha, an attorney with Michalsons corporate law firm.

“Eskom would have failed to adequately protect its customers' data, and not comply with its security obligations in terms of POPIA. The customers should look at their contract with Eskom because it might be in breach of their contractual obligations.”

RELATED Hetzner hacked in South Africa