Unsecured cloud storage led to data exposure at New England energy company

Eversource, New England’s largest energy supplier, exposed thousands of customers’ information following a cloud security misconfiguration.

The company is the largest utility in the region and provides electricity and gas to 4.3 million customers in Connecticut, Massachusetts, and New Hampshire.

According to a document released by cyber security firm Cyberscout, a March 16 security review revealed that one of its cloud data storage folders had been misconfigured and set to open access rather than restricted access. The files were created in August 2019.

The data exposure affected approximately 11,000 customers, and the company has notified them all.

The folder contained several files with the personal information of some Eversource eastern Massachusetts customers, including customers’ names, addresses, phone numbers, Social Security numbers, Eversource account numbers, and Massachusetts service addresses. No banking or financial information was involved.

The files were secured the very same day they were discovered, according to the company. The company’s security team said they had no indication that the personal information has been “accessed, acquired or misused by any external party.”

The company’s security team said that the exposure was unintentional and not the result of an attack or breach of Eversource systems.

Camille Charaudeau, VP of product strategy at digital risk protection company CybelAngel, told ITPro that this breach is further proof that addressing data breaches outside the corporate firewall is vital to managing your third-party risk.

“As more organizations turn to cloud providers for everything from infrastructure to apps to support employees, save money, and enable digital transformation, they are expanding their attack surface exponentially,” he said.

“Organizations must constantly scan for leaked documents outside the enterprise perimeter, including connected storage, open databases, cloud applications, and the Dark Web to detect and resolve external risks quickly, before they are exploited.”

Felix Rosbach, product manager at comforte AG, told ITPro that data breaches from cloud computing often happen because sensitive data is stored and processed in clear text form.

“While cloud service providers offer data security capabilities, the particular business is still the responsible caretaker. The increased attack surface of cloud environments makes for a potentially weak overall security posture,” he said.

“With a hybrid and multi-cloud strategy data becomes dispersed across multiple clouds as well as their own data centers. With that data security becomes even more difficult to manage. Combined with a modern DevOps culture, misconfigurations and overlooking general security requirements are becoming commonplace.”