CLEVELAND — The personal information of Cleveland Water customers was left unsecured and was easily accessed through the department’s account log-in, according to a News 5 investigation.
No special program or tools needed to see info
Clevelander Kevin Rak is a computer engineer. He said when he tried to log into his Cleveland Water account online, he put in his username and password and hit “enter,” and the site just brought him back to the log-in page with his input cleared out.
“One of the things built into your browser is it can show you all the network communication between your computer and the server,’ Rak said.
We asked him about the problem he uncovered.
“You don’t need any extra tools or special programs to see this on your computer. Is that correct?” we asked.
“That’s absolutely correct,” he answered.
He showed us the area in his web browser. He checked one of the entries in the log and he was shocked.
“(Cleveland Water’s) server sends back my hash password, as well as all of my secret questions and answers, and my full first, middle and last name, phone number, email address,” Rak told us.
Plus, he said it wasn’t just his account leaving personal information out there in the open. “Very concerning. Anybody who knows anything about building a website will tell you that is a huge red flag,” said Rak. “Should never happen."
The potential consequences
“If I use these same questions and answers for my bank account log-in, now anybody can go to Cleveland Water, get my answers, and then reset my password for my bank account,” said Rak.
Rak told News 5 about this vulnerability and said he wanted our help to get the department to fix it. “This is not something that happened accidentally,” said Rak. “They explicitly went and created a page. They created a URL designed to give this information out.”
News 5 investigators inform Cleveland Water
We contacted Cleveland Water and gave the department enough time to address the problem. It denied us an on-camera interview but sent a statement saying in part that it “…quickly identified and resolved" the vulnerability and that it did not detect “…malicious activity related to this issue.”
Cleveland Water also told us that it is in charge of the log-in site and has used multiple third party vendors to support it. It is not sure which vendor left the vulnerability open, but Cleveland Water is moving to a new system that better tracks those kinds of details. It is not sure how long the problem was in place.
“If they’re not able to say how long it’s been there, then that really leaves a bunch of question marks in the air for me there, too,” said Rak.
The department’s statement went on to say it doesn’t believe any account was compromised and that no financial information like Social Security numbers, credit cards or bank info is stored or transactions processed on its site.
Clevelander gets call from Cleveland Water
“They seemed very concerned about the issue,” said Rak during a follow-up interview.
He told us after News 5 investigators told Cleveland Water about the problem, technical advisers for the site called him. “I’m very glad that the part that I can see is gone. And the way that I stumbled across it isn’t accessible anymore,” Rak told us.
He said he just wanted to make sure the loophole was closed, customers were made aware of this, and that Cleveland Water learns from what he calls a significant and a potential financially dangerous mistake. “They need to take a more active security mindset with their website,” said Rak.
Here is Cleveland Water’s written statement:
“We were recently made aware of a function within the my.clevelandwater.com portal that made some user credentials vulnerable. Our team, along with a team of vendors, quickly identified and resolved the issue.
We have not detected any malicious activity related to this issue. Personal financial information is stored on a different system, behind additional layers of security protection and was not affected.
We recommend portal users change their account password. Please follow good password security protocols. Keep the following best practices in mind when choosing a new password:
- Make your password complex using a combination of upper and lower case letters, numbers and symbols
- Don’t use passwords based on personal information
- Use a unique password, not anything that is used for any other accounts
- Don’t use words that can be found in a dictionary
- Change your password on a regular basis”
