Eskom denies its live customer database has been exposed online - but the security specialist who found it disagrees
MongoDB database 'does not belong to Eskom and is not hosted on our network', claims Eskom CIO

South African utility giant Eskom has denied claims made earlier this week that its live customer database - including payment details, such as credit cards - has been exposed on the internet.
Responding to complaints from security specialists in South Africa, the company's acting CIO, Nondumiso Zibi, claimed that Eskom's investigations prove that the database "does not belong to Eskom and is not hosted on our network".
He added: "We have traced it and can confirm that it is hosted in the US. We have managed to trace the company responsible for this server and the database. The company is very co-operative and has since confirmed that the server has been shut down."
The company, he continued, is conducting further investigations to determine whether the data in question is valid and belongs to Eskom customers.
I never even gave them an IP of a server. How would they know which one?
— stoXe (@DevinStokes) February 7, 2019
But the security specialist who went public with the alleged compromise, Devin Stokes, described the company's explanation as nonsense - not least because he never provided Eskom with the IP address of the exposed MongoDB database.
"They had live payment records populating the database for electricity customers," he tweeted, pointing out that no-one from the company has bothered to contact him to find out more details about the exposed database.
He added that there are three likely explanations: "They left their database unsecured on an American cloud host, such as Azure or AWS (most likely); or, they got hacked and the data siphoned off (not likely); or, they sold the data to another company (no idea)..."
"I don't understand how your data being on someone else's servers, logging financial transactions through the mobile app in a live fashion is possible. Does that make sense to anyone else or am I crazy?" asked Stokes in response to Eskom's statement.
Further reading
More on Security
NCSC launches CyberFirst Girls Competition - aims to boost female representation in cyber security
Women make up just eight per cent of the cyber workforce in the UK
How digital transformation at the National Lottery Community Fund helped it work through Covid-19
Matthew Green, Technology and Data Director at The National Lottery Community Fund, explains how the programme, which included moving to mobile devices and leveraging technologies like Microsoft's O365 and Teams, meant that by the time of the first lockdown...
Understanding the shared responsibility model for security in the hybrid cloud
If the responsibilities of CSP and customers are not well understood, the risks to security are obvious
BA faces possible £800m data breach claim
Claim would be the largest group action personal data claim in UK history
Boosting cyber resilience when the odds are stacked against you
2020 exposed gaps in our ability to trust information, ignited cloud migrations, and put overburdened security teams under more strain. In 2021 we must focus on the danger areas