According to a report by Gizmodo, an American power company settled to pay $2.7 million dollars in a suit filed by power regulators, who discovered significant security oversights in the company’s records. The name of the company has yet to be released, but reports claim that a security researcher discovered over 30,000 online records that the company had failed to secure with even a password.
The unnamed company has yet to confirm or deny these claims, but an electronic filing states, “These violations posed a serious or substantial risk to the reliability of the bulk power station,” with data that included cryptographic information regarding usernames and passwords being publicly available online for over 70 days. The filing claims that this kind of information in the hands of a hacker could provide the ability to decode passwords and commit other dangerous breaches, saying, “A malicious attacker could use this information to breach the secure infrastructure and access the internal [critical cyber assets] by jumping from host to host within the network.”
The primary suspect for this oversight is Pacific Gas & Electric, a power company in California who got in trouble for similar security issues in 2016. This 2016 breach was discovered by Chris Vickery who was working at Mackeeper at the time, though he’s now the director of cyber risk research at UpGuard. He wrote in the 2016 report that PG&E’s asset management systems “contained details for over 47,000 PG&E computers, virtual machines, servers, and other devices. All of it completely unprotected. No username or password required for viewing.”
PG&E’s initial response to this report was that the unsecure database was a fake, but later released a formal statement admitting to the oversight. Seeing as the Obama administration deemed the energy sector as “uniquely critical” when it comes to infrastructure security, Vickery notified the Department of Homeland Security of the breach so that they could identify whether any of this unsecure information was accessed and used with malicious intent.
Whoever this unconfirmed energy provider is, they are currently facing history’s largest disclosed penalty of this kind, pending approval of the Federal Energy Regulatory Commission. PG&E has declined to comment on the penalty.