A misconfiguration error has exposed personal data belonging to customers of New England's largest energy provider.
On March 16, Eversource discovered that one of its cloud data storage folders had erroneously been set to open access rather than to restricted access.
The company serves more than 3.6 million electric and natural gas customers in Connecticut, Massachusetts, and New Hampshire.
An investigation into the data breach launched by Eversource's security team found that the unsecured folder contained personal data belonging to customers residing in eastern Massachusetts.
Information exposed in the incident included names, addresses, phone numbers, Social Security numbers, billing addresses, and Eversource account numbers and service addresses.
The folder was secured on the same day that the error was detected, and the company's security team do not believe that the personal information it contains was accessed, stolen, or misused by any unauthorized third parties.
Cybersecurity company CyberScout is handling customer service related to the breach on behalf of Eversource. A "frequently asked questions" document created by CyberScout states that the data breach impacted about 11,000 customers.
The document states that the exposed files were created in August 2019, making the data breach a prolonged incident lasting a year and seven months. It also reveals that the information was stored in an unencrypted format.
One Eversource customer who received written notification from the company that their data had been impacted by the breach shared their displeasure on Reddit.
"I'm definitely not happy with Eversource right now, and I imagine a lot of people are going to be getting these letters over the next few days if they haven't already," they said.
"Organizations need to have security processes and procedures in place when utilizing cloud and on-site servers when exposed to the internet," commented James McQuiggan, security awareness advocate at KnowBe4.
"When organizations start to use any cloud service, it needs to be locked down and restricted access provided to only necessary and authorized users. Infosec and IT departments want to ensure they collaborate with all departments that require an offsite server for development and verify the system is not openly available to the internet,” he added.