Misconfiguration Error Leads to Energy Provider Data Breach

Eversource, New England’s largest energy provider, has had its customers’ data exposed in a data breach brought on by a misconfiguration error on March 16th.

Powering the Breach

The provider discovered that one of its cloud data storage folders had been set to open access in error when it was supposed to be set towards restricted access. Eversource, a supplier of natural gas and electricity to the Connecticut, Massachusetts and New Hampshire areas, serves more than 3.6 million customers in its database.

The investigation launched by Eversource’s security team discovered that the unsecured folder involved in the data breach contained personal data relating to their customers in eastern Massachusetts. The information that has been exposed includes customer names, addresses and phone numbers, all the way to social security numbers and Eversource account numbers among other items.

As soon as the error was detected, the folder was secured instantly with the security team believing that the sensitive information contained was never accessed, stolen or led to misuse by any unauthorised third parties.

Cyberscout Steps In

On behalf of Eversource, cybersecurity company Cyberscout is handling all customer service relations in regards to the breach. Cyberscout conducted an FAQ document for customers which so far has shown that 11,000 customers had been impacted by the breach.

In overlooking the document, it was stated that the exposed files were created in 2019, showcasing that the incident was of a prolonged breach lasting 19 months in total. The information was shown to have been stored in an unencrypted format.

Unhappy Customers

Customers received written letters from Eversource to explain the data being impacted which has led to predictable displeasure from customers on online forums such as Reddit. Among their grief’s with the company for their data being accessed, displeasure at their less than adequate security measures has been at the forefront of discussion.

James McQuiggan, the security awareness advocate for KnowBe4, acknowledged that organizations such as Eversource and others need security processes and procedures in place whenever they use cloud and on-site servers that are exposed to the internet. Pointing out that whenever organizations utilize any cloud service, restricted and locked down access to only necessary and authorised users should be instilled immediately.

James would also state that Infosec and IT departments should be sure to collaborate with every department that would require offsite servers for development and to verify that the system is not posing risk in being openly available to anyone on the internet.

For more information on enterprise security and identity management, check out the upcoming events from Whitehall Media.