The Ekurhuleni Metropolitan Municipality has discovered a potential security vulnerability on its online billing site, during a review of its systems, following the recent City of Johannesburg (COJ) incident.
Sheldon Quarmby, CEO of Interfile, which manages the municipality's eSiyakhokha online billing site, says the company has dealt with the vulnerability on the system. "However, it is important for ratepayers to be aware there was no security breach."
The vulnerability Quarmby is referring to is presumably similar to the COJ security flaw. According to tech blog Htxt.Africa, once a user is logged onto the eSiyakhokha system, they can access other residents' invoices by entering a direct URL link to the files. This means customer invoices containing address details and statements of arrears for citizens and businesses that have registered with the online system are accessible to anyone with an existing account and login.
Htxt.Africa says Quarmby admitted the problem exists, even though "the system was put through rigorous penetration testing by both a local and international security provider before it was set live".
Ekurhuleni CIO Kiruben Pillay says customers can rest assured its online billing system is secure and protected, in line with ICT industry security best practices. "Users must register on the site before they can access their information. After registration, they are issued with a username and password to access their account information. You can only view your own statements on the site; no additional information is accessible."
Pillay says the COJ incident has led to the Ekurhuleni Metro taking extra precautionary measures to protect its consumers. "We have reviewed our eSiyakhokha services for any security flaws and have dealt with a potential flaw that we detected. Furthermore, we have reviewed the eValuation Web site and the prepaid electricity systems managed by third parties, and can advise that there are adequate security controls in place, which prevent security breaches, such as others being able to view or edit another customer's information."
Legal steps
Meanwhile, the COJ is still keeping mum on the reasons for its decision to undertake legal proceedings, after a security flaw on its online system was revealed this week.
Chief technology officer at Bid or Buy Gerd Naschenweng revealed on Tuesday that the COJ online services system, which allows residents to view their account statements online, also allows residents' names, addresses, account numbers, PIN codes and financial details to be available to anyone with an Internet connection.
The city took down the system to fix the security flaw, and announced on Wednesday that it "is undertaking legal proceedings against those who viewed and posted information unlawfully".
Naschenweng has told ITWeb that COJ's claims that the incident was the result of a sophisticated hack are absolute rubbish. "I don't believe that I've done anything wrong. If they want to file criminal charges against me, they are welcome to. It is a pity they choose to embark on this witch-hunt, instead of just being transparent about this."
The city issued a statement yesterday saying no personal information from residents has been compromised. "The information that was accessed was not from the transactional engine of the billing system of the COJ and the perpetrators were not able to transact on any of the information they have accessed," said the statement.
The city will now conduct its own forensic investigation with its IT partner to assist the police with the criminal case that was opened as a result of this incident.
"We are committed to keeping our residents informed about progress on the matter and the actions that have been taken as part of our investigation to ensure we deal with this matter effectively. Criminal acts of this nature will not go unpunished," says the city.
Share