Numerous news reports, citing the Wall Street Journal, are identifying Pacific Gas & Electric as the utility which was fined by federal regulators for a data breach which caused PG&E to lose control of confidential information for more than two months.
The San Francisco-based utility agreed to a $2.7 million fine first announced by the North American Electric Reliability Corp. in February. PG&E was not named in the NERC announcement, but later identified by a non-profit group, according to the Wall Street Journal piece.
The NERC release says the utility did not confirm or deny the allegations, but agreed to the financial penalty. The utility reportedly lost control of more than 30,000 pieces of information available on the Internet, according to reports.
The utility, called an unidentified registered entity (URE) in the NERC statement, was alerted to the data breach by a “white hat security researcher” who was not part of the company. A third-party contractor apparently had improperly copied data from the utility’s network to the contractor’s network, “where it was no longer subject to URE’s visibility or controls.
“The contractor failed to comply with URE’s information protection program on which it was trained,” the NERC statement reads. “While the data was on the contractor’s network, a subset of live URE data was accessible online without the need to enter a user ID or password.”
The incident happened in 2016 and was left on the internet for close to 70 days, according to reports.
NERC reported that it was unlikely had other parties had accessed or downloaded the data, although more detail system logs were required to determine that definitely.
“To recover the exposed data, URE contacted the security researcher and requested that he securely return the data, securely delete all copies of the data from his system, and submit to URE a signed, notarized affidavit confirming that he deleted all copies of the data.”