Researcher reveals data leak at South Africa’s main electricity provider

Updated: It appears using Twitter to reveal the news was a last-ditch attempt for Eskom to take the exposure seriously.

In what may be a case of "if we ignore it, it will go away," South Africa's largest electricity company has become the subject of the public exposure of customer data after ignoring researcher pleas to resolve the problem.

Eskom is South Africa's state-owned electricity company which generates approximately 95 percent of the region's electricity, as well as roughly 45 percent of all of the electricity used across the African continent.
 
On Tuesday, cybersecurity researcher Devin Stokes sent a public tweet to Eskom which appears inlaid with frustration at non-communicativeness from the electricity provider. 

Stokes said, "You don't respond to several disclosure emails, email from journalistic entities, or Twitter DMs, but how about a public tweet? This is going on for weeks here. You need to remove this data from the public view!"

See also: Software executive exploits ATM loophole to steal $1 million

The following image contains a screenshot of what appears to be customer and service-related data, including account IDs, start and end service dates, and meter information:

screenshot-2019-02-06-at-09-10-18.png

Several hours later, Stokes published a further screenshot with a live timestamp, commenting, "OK. It got worse." 

It appears that this database entry contained some of the financial data of a customer, including name, card type, a partial card number, and CVV, the three-digit security code which is required for purchases in-person or online.  

screenshot-2019-02-06-at-12-37-29.png

According to the researcher, the electricity provider has left its billing software database exposed, lacking so much as a password.

The most recent customer estimates available, published in 2016, claim that Eskom accounts for roughly 5.7 million customers across South Africa. It is not known how many customers may have been involved in the reported breach. 

TechRepublic: Why your business needs to work with the government to fight cyber warfare
 
However, this may not be the only security failure Eskom needs to grapple with -- as one of the company's own employees may have complicated matters further in their gaming enthusiasm.
 
In a screenshot posted by MalwareHunterTeam, another Twitter user warned Eskom of the existence of a Trojan on one of their networked, corporate machines. The user reported that the Trojan infected the machine through a fake SIMS 4 game installer. 

screenshot-2019-02-06-at-09-21-58.png

The Twitter user, going under the handle "@sS55752750," added that the offending employee is a "senior infrastructure advisor."

While there has been no news on the exposed database, Eskom did thank the researcher who disclosed the Trojan's existence, saying, "This has been investigated and the necessary actions have been taken. Thank you for bringing it to our attention."

"Accidental breaches of this type further drive home the point that every company should have a formal process to accept vulnerability reports from external third parties," Jon Bottarini, Lead Technical Program Manager for HackerOne told ZDNet in response to the news. "Exposing the vulnerability details on Twitter seems to have been the last-ditch attempt on behalf of the security researcher to try and get in contact with someone who can resolve the issue."

CNET: Google+ pages will shut down on April 2

Update 12.47 GMT: Eskom told ZDNet that the company is "conducting investigations to determine whether sensitive Eskom information was compromised as a result of this incident," but will not comment further until the investigation has been concluded. 

Previous and related coverage