The City of Johannesburg (COJ) says the criminal case it has opened with the police after its online system was breached is not against a specific individual, and it is up to the prosecutor to decide if anyone should be charged.
Last week, it was revealed that the COJ's online services system, which allows residents to view their account statements online, also allows residents' names, addresses, account numbers, PIN codes and financial details to be available to anyone with an Internet connection. The flaw was revealed by Bid or Buy CTO Gerd Naschenweng.
COJ spokesperson Nthatisi Modingoane says the city became aware of the security flaw after it was reported in the media. "As such, the city immediately conducted investigations and found there had been numerous unauthorised downloads by persons other than the account-holders. As a precaution, the city immediately shut down the Web site."
Mondingoane reiterated that at no stage was any of the city's residents' personal information compromised. "The information that was accessed was not from the transactional engine of the billing system of the City of Joburg and the perpetrators were not able to transact on any of the information they have accessed."
As to whether the flaw was not merely a simple security oversight, Modingoane says the city believes that offences had been committed under the Electronic Communications and Transactions Act relating to unauthorised access or access without permission, as well as assisting others to gain access. "The City of Johannesburg has an obligation to protect its citizens and will let the law take its course," he says.
Meanwhile, whistleblower Naschenweng has appointed a legal team as a precautionary measure. "[I appointed lawyers] to protect my rights. Although I have not been named by the COJ or media, this has been implied in various ways since I attempted to notify COJ about the security issues and data-leaks on their Web site," says Naschenweng.
He says the COJ has been informed of his legal representation. "We have also offered to assist the COJ if necessary to resolve their issues and consult with their IT team in order for COJ to fix the security flaw."
However, says Naschenweng, to date neither he nor his legal team have received any correspondence from the city. "I still maintain that allegations of the COJ Web site being ‘hacked' and that no ratepayer information was compromised is incorrect."
Modingoane confirmed the city's online system is still down, and was unable to indicate when it is expected be back up again.
"The security of the city's IT systems is of utmost importance. The system can only be restored when the city is satisfied that there are no security concerns. The city is working around the clock and will keep the residents informed of the development."