Security researcher, Devin Stokes, has announced via Twitter that a vulnerability in Eskom’s database is leaking customer data.
Stokes decided to reveal the data breach after Eskom, a South-African electricity public utility, repeatedly ignored his plea to resolve the leak.
“You don’t respond to several disclosure emails, email from journalistic entities, or Twitter DMs, but how about a public tweet?” Stokes tweeted in desperation. “This is going on for weeks here. You need to remove this data from the public view! You are unnecessarily exposing YOUR customers’ data!”
In a follow-up Tweet, the researcher then uploaded a screenshot of a customer record in a live database, which showed the person’s full name and credit card CVV.
It’s still not clear what caused the leak, or how the customer database was accessed.
When queried about the leak by the mybroadband.co.za website, Eskom said that its IT department is conducting investigations to find out whether Eskom’s data was compromised.
“We will comment fully once the investigation is concluded,” Eskom reportedly said.
News that an Eskom data is leaking customer’s data comes after a security researcher from ‘MalwareMustDie’ contacted Eskom on Wednesday (Feb.6th) to notify them that an Eskom employee installed a Trojan onto their machine.
According to the researcher, all of her credentials were compromised, including her company credentials.
Eskom did not disclose the details of the breach but later thanked the hacker on Twitter, stating the issue had been investigated and the necessary actions have been taken.