South Africa’s largest electricity company, Eskom, is currently going through a bad financial phase. While the President Cyril Ramaphosa led government is considering implementing measures to improve Eskom’s condition, a new report has pinpointed flaws in the power utility’s data system that is exposing customer’s personal information including name, card type, a partial card number, and the three-digit security code, CVV.
Security researcher Devin Stokes recently took to Twitter to publically disclose a vulnerability in Eskom’s information systems after the power utility ignored several disclosure emails, emails from news organizations, and direct messages related to the security flaw.
He shared a screenshot of a customer record in a live database, which showed the person’s full name and credit card CVV. This has been blurred out in our screenshot.
“You don’t respond to several disclosure emails, email from journalistic entities, or Twitter DMs, but how about a public tweet? This is going on for weeks here. You need to remove this data from the public view! You are unnecessarily exposing your customers data!” Stokes noted on Twitter.
Stokes noted that the leak has been going on for weeks. However, he did not disclose any information on what is causing the leak, or how the customer data was accessed. It currently remains unknown as how many customers may have been involved in the reported breach.
Eskom thanked the researcher who disclosed the Trojan’s existence, saying, “This has been investigated and the necessary actions have been taken. Thank you for bringing it to our attention.”
The power utility said that its group IT department is already conducting investigations to determine whether sensitive customer information was compromised.
“We will comment fully once the investigation is concluded,” Eskom said.
The news of Eskom leaking sensitive data comes after a security researcher from the MalwareMustDie security research workgroup reported that an Eskom employee downloaded a Trojan onto her computer. As per reports, the Trojan infected the machine through a fake SIMS 4 game installer.