Cyber Incident Victim: City Power
Date:
Jul 2019
Location:
South Africa
Summary
A major electricity supplier in Johannesburg experienced a ransomware attack that encrypted its databases, applications, and network, forcing IT systems offline and disrupting services. The incident prevented over 250,000 pre-paid customers from purchasing electricity and hindered response efforts to localized blackouts. While most systems were restored following the attack, residual issues persisted, prompting the provider to direct customers to an alternative fault-logging platform. Officials confirmed no customer data was compromised and publicly apologized for service interruptions caused by the incident. Attackers demanded payment to restore access, though no fulfillment details were disclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 25, 2019, Johannesburg’s primary electricity utility, City Power, publicly disclosed a ransomware attack that disrupted its IT infrastructure and services. The attack encrypted all databases, applications, and networks, forcing the company to shut down its systems. This immediately impaired customer-facing operations, particularly the pre-paid electricity purchasing system, leaving over 250,000 residents unable to buy electricity credits. The utility’s website also went offline, compounding difficulties as customers could not report outages or access service portals. Social media platforms became primary channels for residents to report localized blackouts, though City Power’s ability to respond to these faults was significantly hampered by the IT shutdown. A company spokesman confirmed the ransomware’s widespread impact, emphasizing that pre-paid customers—who relied on daily transactions—were disproportionately affected. The malware’s encryption of critical systems paralyzed both administrative functions and service restoration efforts, creating cascading operational challenges.
The City of Johannesburg, which owns City Power, initiated recovery measures shortly after the attack. By the time of public announcements, most IT systems had been restored, though residual issues persisted. Officials directed customers to an alternative website to log faults while main systems remained unstable. The city explicitly stated no customer data was compromised during the incident and urged residents not to panic, while publicly apologizing for the service disruptions. Despite partial restoration, the ransomware’s encryption of core databases and applications prolonged recovery timelines, leaving some operational capabilities degraded. The incident underscored the vulnerability of critical infrastructure to ransomware, which locks systems until payment is made—though no ransom demand or payment was disclosed in public statements. City Power’s reliance on social media for customer communication during the outage highlighted the severity of its digital incapacitation.