South African electricity utility Eskom accused of ignoring customer credit card compromise
Names, addresses, energy usage and even full credit card data exposed online by South Africa's monopoly electricity company
Eskom, South Africa's monopoly state-owned electricity utility, has been accused of ignoring complaints that its live customer database - including credit card and other payment details - has been exposed online.
The company has been accused of turning a deaf ear to complaints from security-savvy customers - even after they have gone public with the information.
"You don't respond to several disclosure emails, email from journalistic entities, or twitter direct messages, but how about a public tweet? This is going on for weeks here. You need to remove this data from the public view! You are unnecessarily exposing YOUR customers data!" wrote developer and security pro Devin Stokes in a Tweet on Tuesday.
"Every company should have a formal process to accept vulnerability reports from external third parties. A Vulnerability Disclosure Policy or Security@ email is the best way to ensure that when someone sees something exposed, they can say something," Jon Bottarini, hacker and lead technical program manager at HackerOne told Computing.
He continued: "Exposing the vulnerability details on Twitter seems to have been the last-ditch attempt on behalf of the security researcher to try and get in contact with someone who can resolve the issue."
It's not the first or only time that Eskom's lackadaisical IT security has been exposed, with the security researchers at Malware Hunter also finding Trojan software running on internal company machines - only for a report warning Eskom of the compromise to be rebuffed by the company.
Despite being a state-owned monopoly, Eskom has perennially struggled financially. In its current financial year it is heading for a R20.1 billion (£1.15bn) loss, despite an average electricity price increase of 613 per cent in nominal terms over the past 15 years. The company is R419 billion in debt and its ageing, largely coal-fired power plants struggle to meet demand.
Pressure group Corruption Watch, meanwhile, has targeted a number of former Eskom board members claiming gross negligence and violation of duties.
Within the last minute, Eskom has finally got round to responding after Stokes went public. The company tweeted: "We have passed this on to relevant authorities for urgent investigation and action."
Computing will update this story as we receive more information