Power utilities are not safe against cybercriminals, this is the fact that has been proven by Eskom (Elektrisiteitsvoorsieningskommissie), a power utility in South Africa. Their database was leaked online, causing customer data being exposed to unauthorized access. A very vocal security expert named Devin Stokes has been very active against alleged Eskom’s negligence.
“@Eskom_SA You don’t respond to several disclosure e-mails, e-mail from journalistic entities, or twitter DMs, but how about a public tweet? This is going on for weeks here. You need to remove this data from the public view! I never even gave them an IP of a server. How would they know which one?,” said Stokes in Twitter.
This accusation has been denied by Nondumiso Zibi, the acting Chief Information Officer of Eskom, they denied that the company has direct control of the server, since according to him the servers where the data was leaked is not owned by Eskom. “We have traced it and can confirm that it is hosted in the US. We have managed to trace the company responsible for this server and the database. The company is very co-operative and has since confirmed that the server has been shut down,” explained Zibi.
A competent cybersecurity consulting firm also checked the case, but the firm itself is convinced that the accusation of data leak has no solid evidence yet, however, the probability is not zero. “Whether data was leaked, there is no concrete evidence. However, considering that he [Stokes] stumbled upon it, it is likely that others have too. This is a common problem that occurs in enterprises, usually due to misconfigurations by inexperienced individuals. What is more concerning is the lack of communication between the researcher and Eskom. There is a lesson for Eskom to learn about how to engage with security researchers on the Internet making claims about security incidents. It is expected that this type of situation will happen again in the future,” emphasized Charl van der Walt, co-founder of Sensepost.
Other security researcher named Jon Tullett, on the other hand, claims that regardless of who physically owns the servers, Eskom cannot wash their hands off the responsibility of securing the servers where their customers data are stored.“There’s a semantic game going on there. The [Eskom] statement says the database doesn’t belong to Eskom, not that the data doesn’t. In other words, it’s plausible that Eskom customer data leaked, and was then housed in a third-party database, and Eskom appears to accept that this is possible. There are separate issues to consider here; the two most relevant being whether the data is valid at all, and separately whether it was Eskom who lost control of it,” said Tullett.
Companies that engage in a utility business should not ignore the importance of preparing and building a credible cybersecurity defense strategy. Also, the importance of data encryption is highlighted every time a data breach happens. Organizations should cease storing personal information record in an unencrypted database. Many data breach could have been harmless if the data is stored in an encrypted state, this is a valid cybersecurity protocol that should never be ignored.
“Validity is most urgent. Whether it’s data from Eskom or a different service provider, if it’s high-risk personal data then a lot of people may be exposed to financial fraud and identity theft. Eskom should be conducting a forensic review to identify potential breaches – it’s not enough to just dismiss one data-set and assume everything else remained secure,” added Tullett.