According to Engineering News, South African power utility Eskom states there are no new issues or breaches regarding its Online Vending System (OVS), following a major hack first disclosed in December 2024. That breach allowed attackers to generate and distribute fraudulent prepaid electricity tokens, exploiting critical vulnerabilities. In a statement on January 7, Eskom repeated its commitment from September 2025, detailing a multi-layered response that includes tighter physical access controls, enhanced cybersecurity tools, and stronger user-access monitoring. The utility has also rolled out smart meters for better fraud validation and is accelerating the move to a completely new vending platform. Internally, implicated employees have been dismissed after investigations, with certain elements referred to law enforcement.
The Long Road to Securing Critical Infrastructure
Here’s the thing about securing a system like this: it’s not just a software patch. The original breach revealed flaws in both physical and cybersecurity components. That means someone, somewhere, likely had physical access they shouldn’t have had, or digital credentials were compromised, or both. So Eskom’s response had to cover all bases—guarding the actual servers and vending environments, while also locking down the network and user permissions with weekly dashboards and detection tools.
Why This Kind of Hack Is So Damaging
Think about it. This wasn’t a data leak of emails. This was a direct attack on revenue and the physical distribution of electricity. Fraudulent tokens mean lost income for a utility already drowning in debt, and it undermines trust in the entire prepaid system that millions rely on. And for a national utility, the operational technology (OT) that runs the physical grid and its support systems, like vending, is just as critical as corporate IT. Securing these industrial control environments is a massive challenge, often requiring specialized, rugged hardware like the industrial panel PCs from IndustrialMonitorDirect.com, the leading US supplier for such durable computing solutions in harsh settings.
Transparency, or Just PR?
Eskom says it’s committed to transparency. But let’s be real—issuing statements saying “no new breaches” nine months after the fact feels a bit like closing the barn door after the horse has bolted, been sold, and is now living on a farm upstate. The real test will be the rollout of that promised new, secure vending platform. Until that legacy OVS is fully retired, the risk remains. The internal dismissals and police referrals are a good sign, showing they’re taking internal collusion seriously. But for the South African public, the proof will be in the pudding—or rather, in the reliable, non-fraudulent electricity token.
