Security researcher Devin Stokes recently took to Twitter to disclose a database vulnerability that was causing the private details of Eskom clients to be leaked online.
Stokes said that he took the decision to go public after Eskom failed to respond to his emails, requests for comment from news organisations, and direct messages on Twitter.
Following the disclosure, Stokes posted a screenshot of a customer record in a live database – which showed the person’s full name and credit card details.
Eskom denied responsibility for the leak, however, stating that it had traced the origins of the problem to an exposed Mongo database hosted on a server in the United States.
“We have managed to trace the company responsible for this server and the database. The company is very cooperative and has since confirmed that the server has been shut down,” said Eskom’s acting chief information officer Nondumiso Zibi.
Following Eskom’s response, a company called EMS Invirotel took responsibility for the leak.
At the time of publication, navigating to EMS Invirotel’s website using HTTPS results in a warning that its security certificate expired more than a year and a half ago. Proceeding despite the warning returns a “Not Found” (404) error. Using HTTP to navigate to the URL caused the site to redirect to Afrihost’s homepage.
An archived version of the company’s site reveals that EMS Invirotel supplies smart metering and utility account management systems.
In a statement published online, which EMS Invirotel has confirmed is authentic, the company confirmed that a database with certain customer information was accessed by an unauthorised third party.
The database was hosted on a cloud server in the United States, EMS Invirotel stated.
It added that it shut off the server while it investigated the issue, and contacted all its customers who may have been or may still be potentially impacted by the security breach.
“We understand and respect the fact that customers place their trust in us when providing their details to us, and we do not take this situation lightly in any regard,” EMS Invirotel said.
“We shall report the matter to the relevant authorities and will work with them in addressing this matter further.”
Hacking attempt caused database to become public
Expanding on the leak, EMS Invirotel said that any security researcher who breached their server would have had to bypass extensive security measures to access the database.
“The security employed on the server was far more advanced than that which is required by the minimum standards, and was regularly updated with the latest security patches,” the company said.
However, according to Stokes, the database was exposed to the Internet without any authentication present.
Queried about this, EMS Invirotel told MyBroadband that a hacking attempt resulted in a particular database being published on an unsecured port, causing it to be publicly accessible.
The “attempted hacking” also caused them to be unable to secure the database after the intrusion was detected, the company said.
“Accordingly the only way that we were able to ‘unpublish’ the database and secure the data was to completely shut down the server, which we duly did,” EMS Invirotel said.