Sloppy Southern Water found leaking customers’ bills and account details

Graham Cluley
@gcluley

As The Register reports, UK water service supplier Southern Water made it all too easy for unauthorised parties to view customers’ billing documents and account details.

A chap called Chris H uncovered the problem, and posted a blog about how the utility company allowed any logged-in customer to view bills and documents from other customers.

As Chris describes in his blog post, as a customer of Southern Water he is able to log into his account and view recent correspondence sent to him about his water bill.

Sign up to our newsletter
Security news, advice, and tips.

This includes being able to view his Direct Debit statement.

Clicking on the link takes Chris, as you would expect, to a PDF of the document.

Where’s the harm in that you might wonder?

Well, take a look – like Chris did – at the URL.

Chris found that the PDF document is actually stored on Southern Water’s internal SharePoint database, and the link to that document is used as a parameter in the URL visible within the customer’s browser.

https://youraccount.southernwater.co.uk/eservices/getpdfcorrespondence?correspondenceUrl=https://[redacted].sharepoint.com/sites/[redacted]/12/09_12_0_s1/[redacted].pdf

With a little twiddling of the parameters in the URL, it was easy to access bills belonging to other people – including their full names, addresses, customer account numbers, payment reference numbers, bill and payment dates, account balances, payment accounts, meter recordings, and so on… with no checks made as to whether the access was authorised.

That’s the kind of information that shouldn’t be public. After all, if someone rang you up claiming to be your water company and confirmed their identity by telling you some of those details… you might very well believe them, right?

Which would be a boon to scammers. And as utility bills are frequently requested as a proof of identity when making credit applications, there are plenty of opportunities for foul play.

Thankfully, the Southern Water website has now been reportedly been fixed, and data should no longer be leaking out. Albeit after a PR representative for the firm foolishly mentioned to Chris that it might look at taking legal action against him for pointing out their glaring flaw.

I wonder if other utility firms might be similarly behind-the-times when it comes to handling vulnerability reports appropriately.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.