Security researcher Devin Stokes has disclosed a vulnerability in Eskom’s information systems that is leaking customer data.
Stokes said that he took the decision to go public after Eskom failed to respond to several disclosure emails, emails from news organisations, and direct messages on Twitter.
He said that the leak has been going on for weeks.
“You need to remove this data from the public view! You are unnecessarily exposing your customers data!” said Stokes.
In a follow-up tweet, Stokes posted a screenshot of a customer record in a live database, which showed the person’s full name and credit card CVV. This has been blurred out in our screenshot.
Information on what is causing the leak, or how the customer data was accessed, was not disclosed by the researcher.
Queried about the leak, Eskom said that its group IT department is conducting investigations to determine whether sensitive Eskom information was compromised.
“We will comment fully once the investigation is concluded,” Eskom said.
Update – Eskom comment
Eskom’s Acting Chief Information Officer, Nondumiso Zibi, said the server and “Mongo” database in question does not belong to Eskom – and it is not hosted on its network.
“We have traced it and can confirm that it is hosted in the US,” said Zibi.
“We have managed to trace the company responsible for this server and the database. The company is very co-operative and has since confirmed that the server has been shut down.”
Notwithstanding this, Eskom’s Group Information Technology team is conducting further investigations to determine whether the data in question is valid and belongs to Eskom customers, said the company.
News that an Eskom customer databases is leaking sensitive data comes after a security researcher from the MalwareMustDie security research work group reported that an Eskom employee downloaded a trojan onto her computer.
According to the researcher, the employee downloaded a fake Sims 4 installer – which resulted in her company credentials being compromised.
Eskom did not confirm the details of the infection, but later thanked the hacker on Twitter, stating that the issue had been investigated and the necessary action taken.
@Eskom_SA You don't respond to several disclosure emails, email from journalistic entities, or twitter DMs, but how about a public tweet? This is going on for weeks here. You need to remove this data from the public view!
You are unnecessarily exposing YOUR customers data! pic.twitter.com/MgAOWrRv8o
— stoXe (@DevinStokes) February 5, 2019