An anonymous reader writes: A major security hole in the City of Johannesburg's online billing system has meant that customer invoices have been visible on the open web with a bit of simple parameter phishing. Change a digit in the URL for your bill, and someone else's appears. Including major corporations like the roads agency, SANRAL (which is R55 000 in arrears, apparently). Neighbouring Ekhuruleni had a similar problem too. Both problems were discovered by regular visitors at a local IT forum, and it's interesting to compare the two cities reactions. Ekhuruleni quietly and quickly fixed the problem, while Joburg has threatened legal action against the forumite — who tried to raise the issue with the city IT team several times before going public. Legal experts say there's a potential case for a class action.