Arlington County has plugged a vulnerability in its automated services system for homeowners, after the vulnerability was brought to officials’ attention by ARLnow.com and a local IT services provider.
The vulnerability was in a phone system and website used by the Arlington Dept. of Environmental Services to automate waste pickup scheduling and water service changes.
The phone system would allow a caller to enter either an account number or their address. When one entered an address, however, the system would then provide that homeowner’s name and account number.
With the account number, one could theoretically go online and shut off the home’s water service, or order a big pile of mulch to be delivered to their yard and billed to their account.
ARLnow.com tested the vulnerability and came one click away from sending a big mulch pile to the front yard of a national media personality who lives in Arlington. Through a spokeswoman, that individual declined to comment or be identified in this article.
Within a week of ARLnow.com notifying the county, the automated phone system had been taken offline — callers now only have the option of speaking to a customer service representative — and some account number fields were removed from online forms.
“Our approach is customer-focused and to make it convenient for residents to make service requests, order mulch and report problems through the County website or by telephone,” said Dept. of Environmental Services spokeswoman Jessica Baxter. “It is a philosophy our customers value based on their feedback.”
“To date, we have not had a problem with people misusing the system,” Baxter continued. “As with any system, we are always looking for ways to improve while balancing the needs of our customers. Thanks for bringing this matter to our attention.”
Alexander Chamandy, the founder of Arlington-based IT services firm Envescent, LLC, was the first to spot the vulnerability.
“I discovered this unauthorized information disclosure issue by accident when scheduling a curbside pickup with Arlington,” he said. “It was disconcerting that one’s account information, name, address and other details could be shared with an unauthorized party. Because identity theft and data breaches are on the rise I felt it was important to alert ARLnow.com and Arlington County.”