New England’s energy provider Eversource suffered a massive data leak in March that compromised the personal information of thousands of customers. Eversource Energy has sent across notifications to its customers to notify them about the breach.
According to the notification sent out by Eversource, the company identified a misconfigured cloud storage on 16th March that exposed the personal information of customers, such as their names, addresses, phone numbers, social security numbers, service addresses, and account numbers. Further investigation revealed that the leaked data belonged to customers residing in eastern Massachusetts.
The data leak was detected and fixed on the same day and the company’s security team confirmed that the exposed data wasn’t used illegally or stolen or misused by unauthorized third parties. CyberScout, the cyber security company handling customer services on behalf of Eversource, published a document with additional details about the security incident, stating that the exposed files were created in August 2019 and included personal information of 11,000 Eversource customers residing in eastern Massachusetts.
For affected customers, Eversource is offering a free one-year identity monitoring service through Cyberscout.
Commenting on Eversource leaking the personal data of around 11,000 customers via a misconfigured cloud storage server, George Papamargaritis, MSS Director, Obrela Security Industries, said that this incident highlights how cloud security misconfigurations can be detrimental to organisations and put their customer data in jeopardy and potentially at risk of hacking.
According to Obrela’s Q1 threat data, cloud attacks on oil and gas organisations have increased by over 24% in Q1 2021 compared to Q1 2020, indicating that hackers were already aiming at gaining access to the company's data records even before the leak occurred. Eversource, however, maintains that the exposed data was not accessed by third parties before the leak was discovered and plugged.
According to Niamh Muldoon, the global data protection officer at OneLogin, this breach acts as a reminder to all on how data is like ‘liquid gold’ and what appears not to be particularly dangerous from a cybersecurity perspective, has a huge impact from a privacy breach perspective as the data stolen can be used, harvested and mined to understand user behaviours and preferences.
“Although the investigation into this breach is still ongoing, and Eversource has reassured customers that they believe personal data has not been compromised, customers should still take precautions, especially those residing in eastern Massachusetts.
“For customers who may have been potentially affected by this breach, it is best practice to act with caution, as if your personal details have been affected, particularly as highly sensitive data was stored in the compromised files. Therefore, be wary of messages coming from unknown sources, and consider changing your passwords associated with this account, especially if they are duplicated across other personal accounts,” she added.