Sloppy Southern Water found leaking customers’ bills and account details

Sloppy Southern Water found to be leaking customers' bills and account details

As The Register reports, UK water service supplier Southern Water made it all too easy for unauthorised parties to view customers’ billing documents and account details.

A chap called Chris H uncovered the problem, and posted a blog about how the utility company allowed any logged-in customer to view bills and documents from other customers.

As Chris describes in his blog post, as a customer of Southern Water he is able to log into his account and view recent correspondence sent to him about his water bill.

Sign up to our free newsletter.
Security news, advice, and tips.

This includes being able to view his Direct Debit statement.

Account view

Clicking on the link takes Chris, as you would expect, to a PDF of the document.

Chris direct debit

Where’s the harm in that you might wonder?

Well, take a look – like Chris did – at the URL.

Chris Direct Debit URL

Chris found that the PDF document is actually stored on Southern Water’s internal SharePoint database, and the link to that document is used as a parameter in the URL visible within the customer’s browser.

https://youraccount.southernwater.co.uk/eservices/getpdfcorrespondence?correspondenceUrl=https://[redacted].sharepoint.com/sites/[redacted]/12/09_12_0_s1/[redacted].pdf

With a little twiddling of the parameters in the URL, it was easy to access bills belonging to other people – including their full names, addresses, customer account numbers, payment reference numbers, bill and payment dates, account balances, payment accounts, meter recordings, and so on… with no checks made as to whether the access was authorised.

Other bill

That’s the kind of information that shouldn’t be public. After all, if someone rang you up claiming to be your water company and confirmed their identity by telling you some of those details… you might very well believe them, right?

Which would be a boon to scammers. And as utility bills are frequently requested as a proof of identity when making credit applications, there are plenty of opportunities for foul play.

Thankfully, the Southern Water website has now been reportedly been fixed, and data should no longer be leaking out. Albeit after a PR representative for the firm foolishly mentioned to Chris that it might look at taking legal action against him for pointing out their glaring flaw.

I wonder if other utility firms might be similarly behind-the-times when it comes to handling vulnerability reports appropriately.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.