Eskom’s massive prepaid blunder

The Auditor General of South Africa (AGSA) has flagged a major breakdown of controls at power utility Eskom that made it virtually impossible to determine the extent of its reported prepaid systems breach.

Presenting its annual financial results in December, Eskom revealed that the security of its online vending system (OVS) was breached, and the system was used to generate illegal electricity tokens in bulk.

The OVS facilitates the dispensing of prepaid electricity via virtual channels including banking apps, remote terminals such as ATMs, and other vending stations.

The system vends electricity tokens from the main Eskom central server through secure, approved agents, and should not permit any external vending channel to vend a token if it cannot communicate with the central server.

Tokens are encrypted and stored on the OVS database, and when used on a prepaid meter, decoded and validated against the database. The tokens only work if all the information matches.

However, these controls were not sufficient.

Eskom said in December that it strongly suspects that some of its own staff had successfully colluded with illicit operators and compromised the OVS to facilitate the creation and sale of fraudulent prepaid electricity tokens

It appointed an external IT company to conduct a forensic probe into the breach and make recommendations on fixing the OVS’s vulnerabilities.

Breakdown of controls

According to the AGSA, the illicit prepaid token and online vending breach was one of the biggest financial failures highlighted in its audit of the power utility.

This was also noted by Eskom itself, which attributed the late publishing of its financial results to the breach, saying it could not reliably estimate the financial impact of the incident.

Prepaid electricity tokens sold by Eskom via the OVS is recognised as revenue in line with IFRS 15, revenue from contracts with customers.

However, because an unknown number of fraudulent prepaid electricity tokens are now in circulation—tokens that may carry a future financial obligation for the group—the impact of the breach could not be determined.

The AGSA noted in its presentation to the Portfolio Committee on Electricity and Energy on Wednesday (29 January) that these delays and unknowables were deemed a failure of Eskom’s controls.

Firstly, the forensic investigation commissioned by Eskom’s management into the matter identified the unauthorised use of privileged-level access within the prepaid IT ecosystem to create illicit usable prepaid tokens.

This supports Eskom’s suspicions that its own employees may be involved.

Secondly, beyond this, Eskom’s controls, systems and procedures made it impossible to determine whether the incident had a material impact on the group’s financial statements due to multiple failing points.

The AGSA said this led the audit to conclude that a material breakdown of internal controls within the prepaid IT ecosystem had occurred, and it identified “significant deficiencies” related to the breach.

These include:

• Inappropriate user access controls,
• Dated systems with a lack of available data logs,
• Inadequate backup procedures, and
• A limited understanding by Eskom staff of the prepaid environment, including hardware and relevant systems.

“In addition, assessing whether the illicit prepaid tokens created have been utilised by outside parties is a manual process of inspecting meters,” it said.

The AGSA also warned that Eskom risks having the problem get much worse through its tariff hike strategy to make pricing “cost reflective”.

“While the cost-reflective model may increase revenue for Eskom, it may come with further social and economic challenges—due to affordability challenges for the majority of the users of electricity.

“This may further fuel a demand for illegal electricity connections and illicit prepaid tokens, enabled by unscrupulous conduct by Eskom officials,” the AGSA said.