Eskom at odds with researcher over alleged database leak

Read time 3min 30sec
It's not clear whether Eskom's customer database has been compromised.
It's not clear whether Eskom's customer database has been compromised.

Power utility Eskom and a cyber security researcher are at odds over the leaking of an alleged Eskom database online that exposed customers' sensitive data.

Earlier this week, researcher Devin Stokes accused Eskom of ignoring his complaints that the power utility's live customer database, including credit card and other payment details, had been exposed online.

Stokes went on to tweet: "@Eskom_SA You don't respond to several disclosure e-mails, e-mail from journalistic entities, or twitter DMs, but how about a public tweet? This is going on for weeks here. You need to remove this data from the public view!"

However, Eskom acting chief information officer Nondumiso Zibi said the server and database in question does not belong to Eskom, and it is not hosted on its network.

"We have traced it and can confirm that it is hosted in the US," said Zibi. "We have managed to trace the company responsible for this server and the database. The company is very co-operative and has since confirmed that the server has been shut down."

Notwithstanding this, Eskom's group information technology team is conducting further investigations to determine whether the data in question is valid and belongs to Eskom customers, the power utility says.

Following Eskom's response, Stokes stuck to his guns, later tweeting: "I never even gave them an IP of a server. How would they know which one?"

Commenting on the stand-off, Charl van der Walt, founder member and MD of cyber security firm Sensepost, says there is very little factual evidence, except for the screenshots provided by the security researcher.

"Whether data was leaked, there is no concrete evidence. However, considering that he [Stokes] stumbled upon it, it is likely that others have too. This is a common problem that occurs in enterprises, usually due to misconfigurations by inexperienced individuals."

According to Van der Walt, the completeness and how current the information is can affect the victims through identity theft or targeted malware campaigns.

He points out that from the data supplied by the researcher, there is a lack of PCI compliance by the processor of the database.

"What is more concerning is the lack of communication between the researcher and Eskom. There is a lesson for Eskom to learn about how to engage with security researchers on the Internet making claims about security incidents. It is expected that this type of situation will happen again in the future," says Van der Walt.

Jon Tullett, research manager for IT services for Sub-Saharan Africa at IDC, comments: "There's a semantic game going on there. The [Eskom] statement says the database doesn't belong to Eskom, not that the data doesn't.

"In other words, it's plausible that Eskom customer data leaked, and was then housed in a third-party database, and Eskom appears to accept that this is possible."

Tullett points out that right now we don't know, so it's a question of probabilities. "There are separate issues to consider here; the two most relevant being whether the data is valid at all, and separately whether it was Eskom who lost control of it.

"Validity is most urgent. Whether it's data from Eskom or a different service provider, if it's high-risk personal data then a lot of people may be exposed to financial fraud and identity theft."

He adds that if the data is not valid (dummy data for testing, for example, or old data without any current records) then the immediate risk is lower, but there's still the concern that it leaked from somewhere, and this may not be the full extent of the leak.

"Eskom should be conducting a forensic review to identify potential breaches - it's not enough to just dismiss one data-set and assume everything else remained secure," Tullett concludes.

See also