An American power company has reached a settlement to pay an unprecedented $2.7 million penalty over significant security oversights that could have allowed hackers to gain remote access to the power provider’s systems.
According to an electronic filing, power regulators reached a settlement with an unidentified power company after a security researcher discovered more than 30,000 company records left unprotected online. Regulators did not disclose the name of the company, which neither admitted nor denied the violations.
“These violations posed a serious or substantial risk to the reliability of the bulk power station,” the filing says. The data associated with the exposure affected critical assets, including systems that control access to the unnamed company’s “control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores [critical cyber asset] information.”
According to the filing, the data was exposed publicly online for 70 days—including usernames and “cryptographic information” of those usernames and passwords. “Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords,” the filing says, adding: “A malicious attacker could use this information to breach the secure infrastructure and access the internal [critical cyber assets] by jumping from host to host within the network.”
The question now of course is, whodunnit?
One likely potential answer is Pacific Gas and Electric, also known as PG&E, where a critical data breach was previously reported. Chris Vickery, director of cyber risk research at UpGuard, first disclosed the PG&E breach while working for MacKeeper in May 2016.
Vickery wrote:
Last week I discovered a data breach involving Pacific Gas and Electric, a very large electric utility company in California. The publicly exposed database appeared to be PG&E’s asset management system. Among other things, it contained details for over 47,000 PG&E computers, virtual machines, servers, and other devices. All of it completely unprotected. No username or password required for viewing.
Vickery said at the time PG&E’s IT department was trying to claim that the database was “fake.” The company later issued a statement, however, retracting that claim. Vickery wrote that he had notified the Department of Homeland Security about the issue so it could determine whether “hostile actors also found the database. (Under Presidential Policy Directive 21, the energy sector was designated by the Obama administration as “uniquely critical” infrastructure.)
According to E&E News, which first reported on the filing earlier this month, the $2.7 million penalty—the largest such fine ever disclosed—is pending the approval of the Federal Energy Regulatory Commission.
PG&E did not immediately respond to a request for comment. We’ll update if they do.