An unsecured database leaves off-the-grid energy customers exposed

An unprotected database containing personal customer data of thousands of off-grid electricity customers was accessible for months.
Written by Zack Whittaker, Contributor

The company, which supplies solar powered devices for rural off-grid homes, stores thousands of records in its web-based database server, which was until earlier this month accessible by anyone. (Image: Kingo)

Thousands of remote villagers in Guatemala and South Africa are living off the grid, but their personal information isn't.

Chris Vickery, lead security researcher of the MacKeeper security research team, discovered an unprotected database with no password over two months ago. Anyone who knew the database was there could access more than 40 gigabytes of customer data.

He published his findings in a blog post.

The database, run by Guatemala-based energy startup Kingo, has exposed the personal information of more than 18,800 customers, both in its home country and in South Africa.

Since 2013, Kingo has supplied thousands of prepaid solar power systems to low-income and poverty stricken areas where traditional electricity supplies can't reach. The company provides, owns, and maintains the solar power technology used in each home, and customers top-up the device with prepaid codes, which are bought from authorized distributors -- often local members of the community -- and are punched into the device by the homeowner to run lightbulbs and charge cell phones for extended periods of time.

But to get that far, customers must sign up by providing their state identification -- usually a national ID card or a passport, and sign contracts which govern the terms of service, such as maintenance and malfunctions. Once a homeowner is registered, any data associated with that homeowner is stored and logged into the company platform, known as Ant, a cloud service which stores all information associated with a customer's details, contracts, energy usage, and support requests, and any other relevant data.

It's believed that the company's Ant web database was left open for months on end.

Vickery shared access to the database with CNET en Español and sister-site ZDNet to verify the authenticity of the data.

Each of the 18,800 records contained the homeowner's full name, and address and the exact GPS coordinates of their home, occupation, and cell phone number (where applicable). From the dozens of records we examined, every record had front and back photos of each homeowner's national identification card or documents, which include personal information such as their unique state identification number photos, sex, marital status, nationality, their birthplace, and signatures (where applicable, given that about a quarter of the Guatemalan population cannot read or write).


Two of the leaked identification cards -- on the left, a South African ID, and a Guatemalan ID on the right. (Image: leaked database)

A number of photos are attached to each record. Every customer record that we reviewed included a photo of the person's home, as well as any equipment on loan (such as Kingo's prepaid solar generator). The database also contains a copy of the contract signed by the homeowner. In many cases, a fingerprint is used in place of a signature.

Vickery told me that open access to the database is "massive identity fraud waiting to happen."

Only one-in-four native Guatemalans and about half of the South African population have access to the internet, ensuring that many of those affected may never read this article. That disadvantage puts two already vulnerable groups of people at greater risk of becoming victims of crime.

Renata Avila, a human rights and tech lawyer with deep knowledge of the region, is all too familiar with the risks to people in Guatemala's rural communities.

"I consider this negligence... an epic, irresponsible mistake," she told me in an email, after she was told of the breach. "It makes me wonder how many 'development workers' or 'social entrepreneurs' are as negligent with personal data of the marginal."


Photos of homes were also taken by Kingo staff, and were stored in the database. This is one example. (Image: leaked database)

Avila described how drug cartels and extractivists thrive in subregions where electricity is scarce.

"Having the exact coordinates of homes and pictures of people living in the area... that is something really powerful and dangerous, which can be easily abused," she said. There have been numerous documented cases in recent years where human rights violations, like murders and private surveillance, have been linked to business interests in the region.

"The rural struggle over resources is also problematic: imagine if the mining company you are opposed to knows exactly where you live?" she said. "It will be different if the details exposed were from the rich oligarchs," said Avila.

To think that others would not find the data is naive. Finding an open database like Kingo's might seem difficult given the size of the internet, but it's easily found for those who know where to look. Specialist search engines like Shodan.io can help narrow down the search for unprotected webcams, systems, and databases just sitting on the internet ready to be accessed.

Any consequences that Kingo could face from the fallout of this data leak vastly differs from what many Westerners would expect. Guatemala, for one, has no data protection frame to speak of, said Avila.

And yet the picture is remarkably similar in South Africa where the company has a smaller but sizable presence, despite greater efforts by the government to push through tougher data protection laws.

South Africa's most recent legislation, introduced in 2013, gives individuals the right to know how their data is collected, used, and stored, and defines who is responsible for the data. Anyone found flouting the law or not protecting customer data can be fined up to R10 million (around $694,000) or even face jail.

But, according to an April 2015 review of the legislation by Privacy International, the law has a way to go before it's fully enacted.

"As a result, the potential of this law to protect the right to privacy remains untested and notably the authority envisaged to monitor the protection afforded to personal data is yet to be constituted," said the review.

Now, more than a year later, a commencement date for enforcing the law has still not been announced, ensuring that Kingo is unlikely to face legal repercussions in either market it operates in.

After disclosing the leak to the company, Vickery confirmed that the database had been secured with a password. But it took almost a week for the company to respond after it was first contacted.

A spokesperson for Kingo said on Monday that it had "taken immediate actions in order to secure the data."

"As an [sic] startup company we are constantly moving in order to have better and more reliable information systems," the emailed statement said. "This is why we appreciate your inputs related to the recent database issue reported. We have taken immediate actions in order to secure the data. We are going to invest the needful resources in order to guarantee the privacy of our customer's personal information."

With data protection barely making it into the national agenda, given the country's tumultuous political climate, companies like Kingo have no incentive to improve their security.

Or, as Avila put it: "Frankly, in a country with thousands of murders per year, data theft and data leaks are very low priority."

CNET en Español editor Laura Martínez contributed to this report.

Editorial standards