Durban council bungle exposes residents' ID numbers and home addresses
A security blunder on the eThekwini municipality’s online billing site has exposed the personal information of thousands of Durban ratepayers‚ putting them at risk of identity theft.
The municipality’s “eServices²” site was launched on Wednesday‚ with a confirmation e-mail sent to ratepayers alerting them that they could access the online portal to find their latest municipal bills and billing details.
When logged in‚ all ratepayer details‚ including ID and phone numbers‚ e-mail addresses‚ login information‚ municipal account numbers and residential addresses‚ are clearly visible. However‚ because this information was not encrypted‚ anyone could access any other ratepayers’ information. Making basic changes to the website’s URL address line‚ a Times reporter was able to find the information of two other ratepayers.
The municipality hastily pulled the site at about 2pm on Thursday. However‚ two Durban tech experts alerted the municipality to the problem before 6pm on Wednesday‚ about 20 hours earlier than the site was pulled.
The municipality said in a statement on Thursday afternoon that it was investigating claims that clients’ account information was being shared.
“As a precautionary measure‚ the municipality has taken the site offline in order to prevent any unauthorised access to our client data. It is envisaged that the site will be back online on Monday‚ September 12‚ and in the meantime eServices users can contact the Revenue Call Centre on 031-324-5000‚” the statement said.
Online security expert Werner van Deventer said his suspicions about the city’s security were raised as soon as he received the email because his username and password were visible‚ “showing that e-mails are not stored securely”.
He immediately logged on to change his password‚ but found that it was not secured because eServices was not encrypted.
“There are a few attack vectors that the new site exposes‚ the most significant being account enumeration‚ allowing anyone‚ sometimes without a login‚ to view anyone’s details‚ including municipal billing data. The site is not secured with SSL‚ so anything travelling over the wire‚ including passwords‚ can be read by anyone on the network‚” said Van Deventer.
SSL —Secure Sockets Layer —is a form of online encryption that protects sensitive information from being shared online. Banks use similar types of encryption to protect clients using their online platforms. To prove how easy it was to access the information‚ Van Deventer found the author of this story ’s login and password information.
Former Durban resident Taylor Gibb‚ Microsoft’s regional director in South Africa‚ also exposed the flaw on his blog.
“The eThekwini municipality recently updated the eServices website. The first problem I noticed is that they e-mailed all users their user names and passwords‚ which meant they are storing our data in plain text‚” wrote Gibb.
“What I found was shocking; by changing a single portion of the URL‚ you are able to see full details for any other registered user on the system. The government has an obligation to protect our data and I have an obligation to inform you that your data is not safe . . . this is a huge security issue.”
Van Deventer said: “Users often use the same password across multiple sites. Once you have a password and an e-mail address you can often use it to access other accounts the user might have. ID numbers and utility bills can be used for identity theft and even Fica verification.”
If people were using the password elsewhere they ought to change it‚ he said.
Would you like to comment on this article or view other readers' comments? Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.