Unprotected database exposes off-grid energy users in Guatemala, South Africa

An unprotected Kingo Solar database with the personal data and photos for thousands of off-the-grid electricity customers was accessible for months, reports Zack Whittaker at ZDnet. "Thousands of remote villagers in Guatemala and South Africa are living off the grid, but their personal information isn't," he writes.

The data insecurity issue in this story isn't theoretical, it's real and immediate–and that's something Western product designers don't always consider, when dealing with at-risk users in developing nations where human rights are routinely violated, with impunity.

"Having the exact coordinates of homes and pictures of people living in the area… that is something really powerful and dangerous, which can be easily abused," human rights attorney Renata Avila told Whitaker. "There have been numerous documented cases in recent years where human rights violations, like murders and private surveillance, have been linked to business interests in the region.

"In a country with thousands of murders per year, data theft and data leaks are very low priority," Avila says.


ZDNET: "Photos of homes were also taken by Kingo staff, and were stored in the database. This is one example. Image: leaked database."

Snip from the ZDnet report:

Chris Vickery, lead security researcher of the MacKeeper security research team, discovered an unprotected database with no password over two months ago. Anyone who knew the database was there could access more than 40 gigabytes of customer data. (..)

The database, run by Guatemala-based energy startup Kingo, has exposed the personal information of more than 18,800 customers, both in its home country and in South Africa.

Since 2013, Kingo has supplied thousands of prepaid solar power systems to low-income and poverty stricken areas where traditional electricity supplies can't reach. The company provides, owns, and maintains the solar power technology used in each home, and customers top-up the device with prepaid codes, which are bought from authorized distributors — often local members of the community — and are punched into the device by the homeowner to run lightbulbs and charge cell phones for extended periods of time.

But to get that far, customers must sign up by providing their state identification — usually a national ID card or a passport, and sign contracts which govern the terms of service, such as maintenance and malfunctions. Once a homeowner is registered, any data associated with that homeowner is stored and logged into the company platform, known as Ant, a cloud service which stores all information associated with a customer's details, contracts, energy usage, and support requests, and any other relevant data.

It's believed that the company's Ant web database was left open for months on end.

Kingo says it has "taken immediate actions in order to secure the data," but the damage is done, and the users whose data was exposed effectively have no recourse. Way to go, Kingo.