Eskom has largely resolved a breach in its online vending system (OVS) that allowed people to obtain free electricity, facilitated by staff colluding with criminals, it says.
The power utility notes the breach revealed “critical vulnerabilities in both the physical and cyber security components of the utility’s prepaid electricity infrastructure”.
The breach, first revealed in December, involved the generation of illegal prepaid electricity tokens, with suspected staff collusion, to bypass controls and facilitate fraudulent sales. Such activity results in a direct loss of revenue, as Eskom still provides the electricity when the token is loaded onto a meter.
In its latest annual results, Eskom said it lost millions due to what it calls non-technical energy losses during the year, as the result of theft, fraud and administrative errors. It said “there is a risk that non-technical energy losses could increase in the future” because of the breach.
Eskom is among several entities to have faced cyber attacks recently, with at least six notable breaches reported across South African companies and government entities, highlighting the growing risks to digital systems.
Prepaid electricity is sold through an online system that creates secure, encrypted tokens. When a vending agent requests a token, Eskom first checks the agent’s credit and then verifies the customer’s meter details, generates the token, and sends it through the agent.
In theory, the meter only unlocks the token if identification details are verified, and tokens cannot be sold if the agent cannot connect securely to Eskom’s systems.
In a statement released yesterday, Eskom said “fraud linked to the OVS has now been reduced to very low levels of activity”.
The utility says it has strengthened the system through several key measures, including tighter physical and cyber security, enhanced user-access controls with weekly monitoring, and early risk-detection tools.
Smart meters and monthly reconciliation now help track fraud, while a new, more secure vending platform is being rolled out to replace the current system, Eskom says.
This comes as National Treasury ramps up the installation of prepaid meters to help municipalities pay debt owed to Eskom, which is nearing R100 billion.
The government project aims to install 250 000 smart meters by the end of the 2027 financial year, improving tracking of consumption for more accurate billing.
“We are fully aware of the challenges that have emerged within the OVS environment, and we have taken clear steps to address them. Our focus is on restoring trust, strengthening our systems and ensuring our customers can rely on a secure and efficient service,” says Eskom CEO Dan Marokane.
“This is not just a technical fix; it is part of a broader commitment to transparency, operational excellence and accountability.”
Jacqui Muller, researcher at Belgium Campus iTversity, says Eskom’s clampdown on the OVS breach is technically feasible because it combines industry-standard controls, such as hardware-secured token generation, stricter access governance and smart-meter reconciliation.
“The real challenge is less about the technology itself and more about phasing out legacy systems, tightening insider risk management, and ensuring municipalities and vendors keep pace with the rollout of secure vending platforms. We have not seen the last of the cyber attacks on our state-owned enterprises,” comments Muller.
Following the breach, an independent forensic investigation was launched to identify root causes and provide recommendations. Eskom also handed the matter to the relevant investigative authorities and opened an internal enquiry into 22 employees who may have benefited from illicit tokens.
“Two employees have been put on precautionary suspension whilst investigations are ongoing,” Eskom noted in its 2024 results.
The utility says it continues to work with law enforcement agencies and will share findings once investigations are complete and disclosure is appropriate.
Share