Johannesburg - The City of Joburg has apologised for the inconvenience caused by the security glitch that exposed customer rates and services invoices to fraudsters.
The e-statement site had to be shut down on Tuesday afternoon after it was revealed by IT specialist Gerd Naschenweng that for years residents’ accounts were exposed to fraudsters because basic security measures had not been implemented on the system.
The site was still off-line on Wednesday morning, causing huge inconvenience to residents wanting to access their accounts.
In an e-mailed response on Wednesday, city spokesman Nthatisi Modingoane apologised for the inconvenience and urged ratepayers to access their accounts through the call centre while the e-statement site was offline.
“We are aware of the security breach and our technical team has brought the services down to prevent further unauthorised access to consumer accounts.
“The city (is) investigating the root cause and a permanent solution will be applied. We do apologise for any inconvenience caused,” Modingoane said.
Naschenweng said this breach would have severely compromised ratepayers’ security as the information could be used for criminal activities.
The statements could be printed out and used fraudulently for financial transactions where municipal statements were needed.
Account numbers and PINs were also easily accessible to get personal details such as addresses which appeared on the invoices.
The information could be used for “social engineering” or other criminal activities such as finding out the value of a property, electricity and water consumption, arrears and credit due.
“Although it could be a difficult process, people could even apply for credits and refunds owing to ratepayers,” he said.
Naschenweng said he discovered the breach by accident when a friend asked him to find his account.
“I was astounded to see I could access anyone’s account. I had a bit of fun going through the accounts and I am shocked to see what large amounts people owe the city,” he said. “This problem is poor implementation of their website, which disregards any best practices for web and data security. In the IT industry this is a rookie mistake.
“The service provider which implemented this functionality will need to implement a solution so that only authenticated users can view their own data.”
accessing accounts was as easy as clicking on a few icons on the website. To prove the point, he sent The Star accounts showing huge arrears, such as the SA National Roads Agency Ltd being R55 000 in arrears.
A notice posted on the website on Wednesday morning stated that the site was “experiencing technical difficulties”.
Naschenweng said when he noticed the breach, he immediately contacted the city and tried to explain the error, but no one could understand what he was saying.
DA spokesman on billing, Linus Muller, said the magnitude of this basic security error revealing personal details was “shocking”.
“Any incident that exposes ratepayers’ information that could be used to commit fraud is a cause for concern.
“Fraudsters had access to close on a million clients’ account details - this could be used, in conjunction with fake IDs, in any credit purchase transaction as proof of residence. It is regrettable that the so-called caring and world-class city chose to ignore a whistle-blower’s attempts to make them aware of the problem,” he said.
Regarding the Sanral account, Muller said the problem was that more than R50 000 of the arrears was owing for 90 days and longer.
“The city’s policy is to disconnect electricity to clients with arrears of R1 500 or more for 30 days or longer. To my knowledge, this has not happened. I am also not aware if Sanral is another ‘high- profile’ victim of the billing crisis, and need either to pay their dues, or set the record straight,” he said.