Eskom, South Africa’s state-owned power company, has left a database containing partial credit card numbers, CVV numbers, addresses and customer names exposed online, it has emerged.
It is not yet clear how the leak happened, or how many of Eskom’s 5.7 million customers (according to 2016 estimates) have been affected.
The company generates, transmits and distributes approximately 95% of the electricity used in South Africa and approximately 45% of the electricity used in Africa, so the potential for a cyber attackers to wreak havoc is huge. However, the company has reportedly ignored attempts to bring the breach to their attention.
Eskom allegedly failed to respond when cybersecurity researcher Devin Stokes alerted them to the issue. Stomkes tweeted: “You don’t respond to several disclosure emails, email from journalistic entities, or Twitter DMs, but how about a public tweet? This is going on for weeks here. You need to remove this data from the public view!”
Stokes then posted a screenshot of a database containing customer information.
Eskom not the only company to ignore cybersecurity warnings
This is not the first time warnings about the company’s cybersecurity practices appear to have fallen on deaf ears. On Wednesday, a researcher from whitehat security group MalwareMustDie alerted the company that one of their computers had become infected with a Trojan after a senior infrastructure advisor downloading a fake SIMS 4 game installer. Both incidents suggest poor cybersecurity practices at the company.
They highlight the all-too-common occurrence of a company failing to act quickly to identify and respond to a breach, even when alerted to the issue.
Jon Bottarini, Hacker and Lead Technical Program Manager for HackerOne believes that companies need to have a system in place so if an individual suspects a breach may have happened, they can easily inform the company affected:
“Accidental breaches of this type further drive home the point that every company should have a formal process to accept vulnerability reports from external third parties. A Vulnerability Disclosure Policy or Security@ email is the best way to ensure that when someone sees something exposed, they can say something.
“Exposing the vulnerability details on Twitter seems to have been the last-ditch attempt on behalf of the security researcher to try and get in contact with someone who can resolve the issue.”
A similar situation occurred last month when the details of millions of jobseekers were left exposed after a database from document-oriented database programme MongoDB was left unprotected. In both incidents, the companies have been criticised for not acting fast enough.
Anna Russell, VP at comforte AG believes that companies must do more to protect data:
3 Things That Will Change the World Today
“This example clearly shows just how bad the situation is in a lot of cases when it comes to data security and protecting privacy. Someone getting access to an organisation’s billing software database is about as bad as it can get. At least the credit card number was protected and only showed the last four digits. But all other personal data was available for pretty much anyone to just take it.
“This is a prime example of a breach that is really going to hurt, mainly because all this personal, sensitive data is without any encryption or tokenisation to protect it. Most, if not all, of this data, is probably being sold and exploited for identity theft right now. What do we learn from this? No matter what leads to a breach, the data itself must be protected. Otherwise, you will have to switch off the lights very soon.”
Where should the company go from here? Paul Edon, Senior Director at Tripwire, believes that it is not too late for Eskom to resolve the problem:
“It is not too late for the South African electricity provider to patch its vulnerabilities and secure its customers’ privacy, but Eskom will need to adopt a more proactive approach to security moving forward, which should involve actively monitoring cybersecurity flaws and vulnerable entry points. Only by knowing your system will you be able to prevent and respond timely to threats.”