Paying utility bills is a drag so most utility companies these days have set up a range of different payment options, including mobile apps, to make payments more convenient for their customers. Despite their good intentions, utility companies may not be aware a data leak is adding the cost of your stolen PII to your monthly bill.

Mahavitaran is the second largest electricity distribution utility in the world and supplies electricity to a staggering 22 million consumers across the Maharashtra region in India.
The company’s mobile app, “Mahavitaran Consumer App”, has between 100,000 – 500,000 installations. It’s primarily used by customers to view and pay their bills online, as well as apply for a new connection.
data leak
Wandera’s threat intelligence technology MI:RIAM identified instances of a data leak that affected both the iOS and Android apps of Mahavitaran, which put customer information at risk of theft.

How does the data leak happen?

At almost every stage, including during user registration and login, in new connection requests and for payment transactions, the app was leaking users’ personally identifiable information (PII). This includes customer credentials, like username and password, leaving them totally exposed to hackers.
Using MI:RIAM, the Wandera team has also identified that the parameters which are sent to the app’s backend were vulnerable to SQL Injection, which essentially means that the full client database of Mahavitaran would be at a hacker’s mercy.

SQL Injection explained

SQL injection attacks allow attackers to spoof identity, tamper with existing data, void transactions, changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. The severity of SQL Injection attacks is limited by the attacker’s skill and imagination and should be considered a high impact risk to an organization.

What is being exposed in the data leak?

The following PII was exposed when a user registers on the app:

  • Username
  • Password
  • E-mail address
  • UID
  • Date of birth
  • Pin
  • Billing unit
  • Consumer number
  • Bank account number
  • Mobile phone number

The following PII was exposed during the login procedure:

  • Username
  • Password

The following PII was exposed when a user pays his/her bill:

  • Username
  • Password
  • Customer number
  • First and last name

The following PII was exposed when users update their information:

  • E-mail
  • Phone number

The following PII was exposed when users request a new connection:

  • E-mail
  • Phone number
  • First and last name
  • Address
  • City


What can your business do to avoid being impacted by a data leak?

Global firms with any kind of presence in India should have an active mobile security service deployed. These technologies should have filtering and blocking functionality that happens at the data level to block traffic to leaky apps to prevent a data leak.
This will keep all devices in corporate fleets protected from a data leak, even those that are jailbroken, employee-owned or otherwise outside EMM control.