Following news that a breach occurred at TIO Networks, a company recently acquired by PayPal, PayPal recently announced that information on over 1 million customers may have been compromised. Duke Energy’s customers are among those impacted.

Data Breach Details

TIO Networks, the victim of the breach, is a payment processor who serves customers who pay utility and cable bills in cash at kiosks and walk-in locations.

Here are the details to-date on this breach:

  • A Duke Energy spokesman said that about 370,000 Duke Energy customers in the Carolinas may have had addresses, banking data and other personal information exposed in a potential data breach stretching back to 2008.
  • The spokesman said the utility learned Nov. 10 of the potential breach.
  • Duke said customers who might be affected are those who paid bills by check or cash at one of the company’s 550 walk-in payment centers between 2008 and 2017.

While TIO Networks is offering free 12-month credit monitoring to affected customers, the impact to their customers is more immediate. Customers need to identify an alternate way to pay their bills while the TIO Network remains down. There is no timeline for restoring bill payment services.

Getting Breach Response Right

Duke Energy has done several things right in response to this breach affecting their customers, including:

  • Prompt notification regarding the breach by Duke to their customers
  • Clear response regarding who was impacted – customers using the company’s authorized walk-in payment locations
  • Clear messaging regarding the fact that Duke Energy’s systems were not affected
  • Support for customers in making alternate payment arrangements. From their press release: Duke Energy Carolinas customers can continue to make payments in person at any Western Union location — an agreement that Duke Energy established shortly after TIO Networks suspended the payment system — or can pay by check, debit or credit card online.

Takeaways for Businesses

In a previous post, we talked about data security in the power sector. Protecting critical infrastructure is top of mind in this sector, but protecting consumer data is also a concern. Some takeaways for businesses include:

  • Understand the potential impact if your data or systems are compromised via others in your supply chain, and have a ready incident response plan in the event of a breach.
  • Use data from online monitoring software to baseline normal behavior and alert on suspicious activity that might indicate sensitive data is leaving the organization.
  • Be timely with the initial announcement to customers, provide detailed information regarding the impact to customers and steps customers should take, and be helpful and empathetic to make next steps easier for customers.

Clarksons Data Breach: Saying No to Ransom
NSA Data Leak: More Exposure of Classified Data
2017 Ponemon Cost of Data Breach Study: Analyzing the Research
Insider Threat Detection