Hacking of Connecticut Utility Company Exposes As Many As 52,000 Customers' Information

The information of 52,000 people that may have been exposed includes payment card information, bank account information, Social Security and other government identification numbers, account usernames and passwords.

by Luther Turmelle, New Haven Register / December 22, 2017

(TNS) — The bank account numbers and personal information of as many of 52,000 customers of The United Illuminating Co., Connecticut Natural Gas and Southern Connecticut may have been exposed to potential identity thieves as a result of a security breach by a third party vendor.

Customers of the three utilities have begun receiving letters this week about the breach from TIO Networks. The Canadian company’s Softgate Systems subsidiary had been responsible until last month for processing the walk-in payments of customers from three energy companies, which are subsidiaries of Orange, Conn.-based Avangrid.

“The investigation to date has uncovered evidence of unauthorized access to the TIO network, including locations that stored personal information of some of TIO’s customers and customers of the companies that TIO services,” the letter to customers says in part. “We have no proof, however, that your data was accessed, acquired, or misused. Although we have no proof that your data was accessed, acquired, or misused, we are notifying you in an abundance of caution because the TIO servers involved in this incident stored data such as customer names, contact information, and subscriber/billing account numbers “

Other information that may have been exposed includes payment card information, bank account information, Social Security and other government identification numbers, account usernames and passwords, according to the letter.

TIO Networks is offering customers whose information may have been compromised one year of complimentary identity protection that includes credit monitoring, identity theft insurance and assistance with combatting identity theft and fraud, should any be detected.

News of the scope of the data breach surfaced just 24 hours after Avangrid announced it has contracted with Western Union to accept walk-in payments from customers of three utilities as well as Berkshire Gas of Massachusetts. The ability to make walk-in payments had been suspended for more than a month amid security concerns that surfaced after TIO Networks was acquired by online payments giant PayPal in July.

At the time walk-in payments for customers of the three Avangrid utilities were suspended in early November, spokesman Michael West said there was no evidence that customer data may have been compromised. But Avangrid officials were informed on Nov. 29 that a data breach had occurred, said Ed Crowder, an Avangrid spokesman.

“They (TIO Networks and Pay Pal) had come up with a communications plan to offer some credit protection, and because the problem occurred in the TIO Network, we let them take the lead in this,” Crowder said. “On our side, we also did some outreach to make customers aware of alternate payment methods.”

About 29,000 customers of UI alone make bill payments using the walk-in network, he said. Avangrid officials have not said how many customers make their payments in person, across the four utilities.

United Illuminating serves 325,000 residential, commercial and industrial customers in 17 towns in the New Haven and Bridgeport regions

The scope of the TIO Networks data breach goes well beyond Avangrid’s Connecticut utility customers and the state’s borders.

Last week, it was revealed that approximately 2.5 million customers of New Jersey’s largest utility, Public Service Electric & Gas, may have had their personal and financial data compromised.

TIO Networks processed payments made at automated kiosks in PSE&G's walk-in customer service centers between 2012 and 2017. It also allowed for utility bill payments at other payment centers, such as convenience stores.

©2017 the New Haven Register (New Haven, Conn.) Distributed by Tribune Content Agency, LLC.