South African Power Firm Eskom Fails To Secure Customer Data

A security researcher resorted to a public tweet about a serious data breach involving customer data, after a South African electricity provider ignored all other pleas to resolve the leak.

Security researcher Devin Stokes issued the public tweet to Eskom, which is South Africa’s state-owned electricity company.

The fact that Eskom, which supplies 95 percent of the electricity to South Africa and indeed other African nations, did not respond to the security researcher’s pleas will come as little surprise to people who know the firm, or have dealt with it.

Eskom leak

“You don’t respond to several disclosure emails, email from journalistic entities, or twitter DMs, but how about a public tweet?,” tweeted Devin Stokes in desperation. “This is going on for weeks here. You need to remove this data from the public view! You are unnecessarily exposing YOUR customers data!”

Stokes then posted a screenshot of a customer record in a live database, which showed the person’s full name and credit card CVV.

After that public shaming, at least one media outlet did manage to get some form of acknowledgement about the data breach from Eskom, but the power firm displayed a typically dismissive attitude to the leak.

When queried about the leak by the mybroadband.co.za website, Eskom said that its group IT department was conducting investigations to determine whether sensitive Eskom information was compromised.

“We will comment fully once the investigation is concluded,” Eskom reportedly said.

Expert take

This poor response from the firm triggered a sharp response from security researchers.

“A company of the size of Eskom cannot compromise on its security posture,” said Paul Edon, senior director at Tripwire. “The fact that a third-party security researcher had to publicly flag the data leak to Eskom’s CEO on Twitter reveals a wider problem in their overall approach to data security that unfortunately some companies still have.”

“There is a tendency for boardroom executives to operate with a reactive mindset, and although understandable, since attacks are difficult to visualise until they happen, it is still unacceptable,” said Edon.

“A database of personal data is always an appealing target to cybercriminals, especially since the records exposed in the Eskom attack appear to include banking and credit card information, which have become a high commodity easily sold on the dark web,” he added.

“It is not too late for the South African electricity provider to patch its vulnerabilities and secure its customers’ privacy, but Eskom will need to adopt a more proactive approach to security moving forward, which should involve actively monitoring cybersecurity flaws and vulnerable entry points,” said Edon. “Only by knowing your system will you be able to prevent and respond timely to threats.”

Another expert also used the Eskom example of how lax some firms can be about securing their systems.

“This example clearly shows just how bad the situation is in a lot of cases when it comes to data security and protecting privacy,” said Anna Russell, VP at comforte AG.

“Someone getting access to an organisation’s billing software database is about as bad as it can get,” said Russell. “At least the credit card number was protected and only showed the last four digits. But all other personal data was available for pretty much anyone to just take it.”

“This is a prime example of a breach that is really going to hurt, mainly because all this personal, sensitive data is without any encryption or tokenisation to protect it,” she said. “Most, if not all, of this data, is probably being sold and exploited for identity theft right now.”

Do you know all about security? Try our quiz!