It appears that a customer database associated with Eskom, South Africa’s state-owned power company, is currently being exposed on the Internet – including credit card and account information, addresses, names, energy usage and more. Someone found the vulnerability and has had trouble submitting the bug to the company, so they’ve taken it to Twitter.
@Eskom_SA You don't respond to several disclosure emails, email from journalistic entities, or twitter DMs, but how about a public tweet? This is going on for weeks here. You need to remove this data from the public view!
You are unnecessarily exposing YOUR customers data! pic.twitter.com/MgAOWrRv8o
— stoXe (@DevinStokes) February 5, 2019
Eskom, is South Africa’s is state-owned electricity company, generating, transmitting and distributing approximately 95% of the electricity used in South Africa and approximately 45% of the electricity used in Africa.
Expert Comments below:
Jon Bottarini, Hacker and Lead Technical Program Manager at HackerOne:
“Accidental breaches of this type further drive home the point that every company should have a formal process to accept vulnerability reports from external third parties. A Vulnerability Disclosure Policy or Security@ email is the best way to ensure that when someone sees something exposed, they can say something. Exposing the vulnerability details on Twitter seems to have been the last-ditch attempt on behalf of the security researcher to try and get in contact with someone who can resolve the issue.”