Eskom, South Africa’s state-owned electricity company, left a database containing a swathe of financial data from their customers including name, card type, partial card numbers and CVV codes unsecured without a password. The exact number of customers affected is unknown but Eskom accounts for approximately 5.7 million customers across South Africa, according to 2016 estimates. The company also has a Trojan on one of their networked, corporate devices due to a senior infrastructure advisor downloading a fake SIMS 4 game installer.
Expert Comments below:
Kevin Gosschalk, CEO at Arkose Labs:
“The public exposure of customer data, such as Eskom’s account IDs, is not going away. If anything, there will be more of these in the future as attackers use more sophisticated tools and techniques. Companies not directly involved in this data exposure also need to be aware of the risks because having credentials compromised expands beyond Eskom due to people reusing credentials across multiple sites.
Organizations must be aware of the risk of its user’s accounts being hijacked through the use of automation, and organizations must take steps to prevent it. Attackers will use the spilled account IDs from Eskom with automated scripts to try the top 10 most common passwords and other previously leaked passwords against these account IDs. By doing this at scale, the attackers will gain access to accounts and use that to commit malicious activity elsewhere.
As a next step, consumers should use a password manager to ensure they are not re-using passwords across multiple sites. Have multi-factor authentication enabled where available, and opt to use a token-based (not SMS-based) option if possible.”
Anna Russell, VP at Comforte AG:
“This example clearly shows just how bad the situation is in a lot of cases when it comes to data security and protecting privacy. Someone getting access to an organisation’s billing software database is about as bad as it can get. At least the credit card number was protected and only showed the last four digits. But all other personal data was available for pretty much anyone to just take it. This is a prime example of a breach that is really going to hurt, mainly because all this personal, sensitive data is without any encryption or tokenization to protect it. Most, if not all, of this data, is probably being sold and exploited for identity theft right now. What do we learn from this? No matter what leads to a breach, the data itself must be protected. Otherwise, you will have to switch off the lights very soon.”
