The eThekwini Municipality has been forced to take down its new online billing site — a day after it went live — after a severe security blunder that left ratepayers’ private information openly exposed.
The “eServices²” system went live on Wednesday‚ but security flaws were almost immediately exposed. The website was not secured with online encryption‚ meaning that all users’ personal information – including ID number‚ email addresses‚ phone numbers and passwords – could be obtained by almost anyone.
Making basic changes to the website’s URL address line‚ a TMGDigital reporter‚ who is an eServices user‚ was able to find information on two other ratepayers. And to prove how easy it was to access the information‚ online security expert Werner van Deventer‚ found the reporters’ login and password information.
Van Deventer said: “Users often make use of the same password across multiple sites. Once you have a password and an email address you can often use it to access other accounts the user might have. ID numbers and utility bills can be used for identity thefts and even FICA verification. It’s a good idea that people know [about the breach] so that if they are sharing the password elsewhere they can change it.”
The municipality tweeted on Thursday that the site was pulled down.
“We are adding the required security to the site‚ and in the interim will take it offline until we update the security‚” the official @eThekwiniM site tweeted.
Ethekwini online billing site taken down after security blunder
The eThekwini Municipality has been forced to take down its new online billing site — a day after it went live — after a severe security blunder that left ratepayers’ private information openly exposed.
The “eServices²” system went live on Wednesday‚ but security flaws were almost immediately exposed. The website was not secured with online encryption‚ meaning that all users’ personal information – including ID number‚ email addresses‚ phone numbers and passwords – could be obtained by almost anyone.
Making basic changes to the website’s URL address line‚ a TMGDigital reporter‚ who is an eServices user‚ was able to find information on two other ratepayers. And to prove how easy it was to access the information‚ online security expert Werner van Deventer‚ found the reporters’ login and password information.
Van Deventer said: “Users often make use of the same password across multiple sites. Once you have a password and an email address you can often use it to access other accounts the user might have. ID numbers and utility bills can be used for identity thefts and even FICA verification. It’s a good idea that people know [about the breach] so that if they are sharing the password elsewhere they can change it.”
The municipality tweeted on Thursday that the site was pulled down.
“We are adding the required security to the site‚ and in the interim will take it offline until we update the security‚” the official @eThekwiniM site tweeted.
Would you like to comment on this article?
Register (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.
Trending
Latest Videos