How we discovered that an app discloses the data of more than 1 million Portuguese citizens

Please find the german version of this article here…

Those of you familiar with our company are perhaps aware that we don’t just have an office in Frankfurt but that there’s also another one in the stunning Portuguese capital of Lisbon where our Head of Development, João Santos, lives, works and … of course… consumes water as well.

So two weeks ago, this in part explains how he, as a water consumer and app user, stumbled across the “MyAqua” app made by the Portuguese company EPAL, who are not only responsible for the water supply in Lisbon but who generally take care of it for some of Portugal’s largest metropolitan areas.

Screenshots of the “myAqua” app made by EPAL the Portuguese water supplier

The MyAqua app offers its users a whole range of things: You can change your contract details, view invoices and amend payment arrangements or report disruptions in the water supply. To be able to show all this in the app and keep it constantly up to date, there needs to be an interface to a database where the data is stored centrally. An interface like this happens to be called an API. You might have heard the term before. Nothing out of the ordinary at this stage in any case.

However, João’s a bit more skeptical when it comes to these sorts of things. Nevertheless, an important part of his job is to make absolutely sure that the apps of our customers are protected against unauthorized external access. And he knows what can go wrong if you don’t take this responsibility seriously.

That’s why he simulated the same API request that the MyAqua app normally sends to the server with a testing tool. A tool like this is mainly used in software development to perform precisely this type of security test. These tools are freely available and anyone with even just a passing interest in software development has more than likely already used such a tool. This isn’t any of these “sociophobic nerd gets hold of banned tools on the darknet and does shady things with it we don’t actually understand” cases.

Openly accessible, personal data of more than a million water customers

Getting back to the matter at hand: João tested to see what was returned by the database if you entered your EPAL customer number in the tool. And, just for fun, what was returned if you entered any random EPAL customer number.

And what he saw — after approximately only 3 minutes of effort — was far worse than he had even imagined: Without needing any further authorization anyone could have been able to access the complete customer file on record by entering any possible customer number. Some of the data that could have been viewed for every existing EPAL customer number would have been:

  • Telephone numbers
  • Email addresses
  • Water consumption
  • ID card and tax numbers
  • Payment arrangements
  • Billing and consumer addresses
  • Number of people residing at the addresses

– and this was the case for more than a million water customers. Not to mention the data of 14 utility companies that EPAL collaborates with. All of this data was completely disclosed and was never transferred via an encrypted connection at any point (which would not have prevented the catastrophe in any case).

The day on which João reports of his discovery in Slack. I think you can feel my “amazement” somewhat…

Never before has such a big data breach in a company been made public in the history of Portugal!

You have to savor this for a moment: Imagine you’re sitting comfortably in a warm room having a cup of tea with an input field in front of you on the monitor and in it you can enter any random, guessed or known customer number of a water customer which then gives you access to all of the data stated above for the person with which such data is associated. There’s no doubt in my mind that you, specifically, are a citizen of the utmost integrity but I do believe that even you don’t need to try too hard to understand what someone with less than honorable intentions could do with such a wealth of data.

João then did two things:

First he wasted no time in contacting EPAL to make the people there aware that they were constantly leaving a door open to the high-security wing. In his email he asked them to contact him directly so he could explain where the risk was in more detail. That happened on August 28, 2017.

However, EPAL, whose most important values include “integrity” and “responsibility” according to their website, didn’t see any need to reply to João’s email.*

That’s why he sent a further email to to CNPD, the Portuguese data protection body two days later to explain the problem to them as well and, once again, to expressly point out that this was a clear breach of EPAL’s data protection regulations.

To escalate the situation further, João came to the decision to get in touch with “Exame Informática” magazine whose staff, in turn, tried to contact EPAL to explain to them that the magazine would have to make the security breach public if they didn’t respond. This took place on the Tuesday of last week, i.e. September 5. This past Saturday, September 9, 2017 the article about this issue was published on Exame Informática.

The article about the EPAL data breach on the landing page of “Exame Informática”

That same evening the non-secure API of EPAL suddenly went offline.

The security risks are huge

João presumes that the error was caused by the fact that the EPAL programmers in the development phase didn’t make a clean switch from the (usually less secure and solely supplied with test data) development version to the live version.

It may seem like a minor case of sloppiness but the security risks arising as a result of such a lapse are huge: Via the contact options available by email, post and telephone and the other data that was disclosed it could be possible for any semi-convincing human being to pass his or herself off as an EPAL employee to establish trust and coerce the victim in to making payments, granting access to the property and so on.

Another possibility would be ID theft and that EPAL themselves end up in a situation where they have customers who in fact do not actually exist. This would result in significant economic losses.

In any case, EPAL doesn’t seem to be too worried about the situation. They told “Exáme Informática” that at no point in the past had there been any indications of problems associated with the MyAqua app.

For a million or so customers, we hope this is true. And we also hope that EPAL will perhaps finally decide to take this data breach seriously and fix it.

Measured against the potential losses, the effort it would take to deal with the issue is more than manageable.

*In the meanwhile, EPAL contacted us and declared to fix this issue as soon as possible. Customer data will then be safe again.

Tim Wiengarten is a managing partner of rabbit mobile GmbH, an agency for the development of digital business applications with a mobile-first approach.

João Santos is Head of Development at rabbit mobile GmbH. In the case described above, he has uncovered the largest known data breach in the history of Portugal.

rabbit mobile assist their customers in matters ranging from conceptual-strategic preliminary project outlines to the realization and maintenance of on-going applications as well as the integration of such applications within an existing system landscape. And one more thing: protecting enterprise apps from external access as well…

You can get in touch with Tim Wiengarten here on Xing, here on LinkedIn or:
 by Email:
 by telephone: +49 69 256288–240

Like what you read? Give Tim Wiengarten a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.