Security19.12.2024

Eskom prepaid electricity system breached

An investigation has uncovered that security controls in Eskom’s online vending system (OVS) were breached and the system was used to generate illegal electricity tokens in bulk.

The power utility suspects some of its own staff may be involved in the crime and has appointed an external IT company to conduct a forensic probe into the breach and to make recommendations on fixing the OVS’s vulnerabilities.

The OVS was first implemented by Eskom in 2008 to combat so-called “ghost” vending of electricity tokens sold through offline credit dispensing units which were stolen or lost.

The OVS facilitates the dispensing of prepaid electricity via virtual channels including banking apps, remote terminals such as ATMs, and other vending stations.

“The system vends electricity tokens from the main Eskom central server through approved national vending agents using a secure backend in real-time,” the power utility explained in its 2024 integrated report.

“The system should not permit any external vending channel to vend a token if the vending agent cannot communicate with the Eskom server or cannot be authenticated via the secure protocol.”

“Once the token is generated, it is encrypted, stored in the OVS database, and sent to the customer by the vending agent.”

“Once the customer enters the token, the prepaid meter decodes the 20-digit token using the Standard Transfer Specifications security protocol, and only accepts the token if all the related information matches the OVS system and is accepted as valid.”

“If the information does not match, the token will be rejected.”

However, these controls were not sufficient, and Eskom strongly suspects that some of its own staff had successfully colluded with illicit operators and compromised the OVS to facilitate the creation and sale of fraudulent prepaid electricity tokens, both for key revision number (KRN) 1 and KRN 2 meters.

An infographic comparing the basic functioning of Eskom’s discontinued offline and online vending systems.

Concerns over sole supplier’s conflict of interest

The utility’s Audit and Risk Committee (ARC) acknowledged that the prepaid electricity ecosystem exposed Eskom to various risks, including the creation and use of illicit tokens from which the uitility derives no revenue.

In addition, Eskom relies on a single supplier for the OVS’s software and hardware solutions. The supplier is also a distributor of the tokens, creating a possible conflict of interest.

The ARC provided oversight of the progress of the investigation into the breach of the OVS and the implementation of action plans.

The latter includes improved cybersecurity controls to prevent the creation of illicit tokens as far as possible.

ARC also requested that all service-level agreements in the prepaid electricity ecosystem be reviewed and that the related risks be evaluated and appropriately addressed.

“This could include the possible exit of agreements where the risk is considered intolerable, as well as implementing a process where national vending agents must provide assurance reports on controls and submit independent confirmation that their systems are secure and that they are only selling valid prepaid electricity tokens,” Eskom’s integrated report said.

In his introductory comments at Eskom’s 2024 annual financial results presentation on Thursday, 19 December 2024, Eskom board chairperson Mthetho Nyati said the issue contributed to the delay in the publication of Eskom’s results.

Eskom typically announces its annual results in the third quarter of each year.

Nyati explained that Eskom was unable to reliably estimate its potential financial obligation from the exposure that illicit tokens could be used in the future.

There is a high level of uncertainty around the number of illicit prepaid electricity tokens generated through OVS that remained in circulation and compatible with Eskom meters after the KRN rollover.

Eskom said it would provide an update on the investigation once it is finalised and that the matter was also being handled by the “relevant state investigative authorities.”

Eskom has estimated that 13.9 terawatt-hours (TWh) of electricity it supplied during the 2024 financial year was lost to electricity theft, including through illegal tokens and bypassed meters.

The power utility has calculated that this cost it roughly R23 billion in revenue during the year.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter