Skip to main content

Name Of Utility Company That Leaked Information Just Released

By September 15, 2018June 3rd, 2022Cybersecurity

In 2016, an unnamed US energy company left some 30,000 records (containing information about its security assets) exposed for more than two months (a total of 70 days), in violation of energy sector cyber security regulations. When the incident was initially reported, the name of the company was withheld.

That company has now agreed to a $2.7 million-dollar settlement, and its name has now been made public, along with some additional details about the incident.

Initially, the company admitted that they unintentionally exposed the database in question, but that it contained fake data. As the investigation into the matter continued, it became apparent that the data was not only real, but that it included hashed passwords for administrators that hackers could have easily reverse-engineered. PG&E subsequently reversed their fake data assertion.

The exposed data was found by independent security researcher Chris Vickery, who indicated at the time that the database contained details for some 47,000 computers, virtual machines, servers and other devices.

In addition to that a number of non-encrypted email passwords were found, along with 120 encrypted passwords. In Vickery’s words, “This would be a treasure trove for any hostile nation-state hacking group.”

According to the official NERC notice regarding the incident:

“The data was exposed publicly on the internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords. Exposure of the username and cryptographic information could aid malicious attackers in using this information to decode passwords.”

Once PG&E was made aware of the problem, it took a server offline, which removed the exposed data. They also brought in third-party forensic experts to investigate, and as a result of that investigation, revised a number of their security policies.

Overall, the company’s handling of the matter was spotty at best, but in light of the record-setting fine, the hope is that we won’t see a similar instance of carelessness in the future.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.