13WHAM.com is reporting that “unauthorized access to customer data” was reported by RG&E. So, what exactly was revealed?:
This situation involves an employee at an independent firm who allowed unauthorized access to one of the companies’ customer information systems.
There is no evidence that any customer data has actually been misused, or that there was any malicious intent.
The @DandC is reporting similar information. You would expect that the company’s press announcements would be predictably bland, avoiding as much controversy as possible.
To say that an independent firm “allowed unauthorized access” to another company’s information systems makes it very difficult to know what the security threat actually was. But two IT infrastructures inadvertently sharing data does not seem like enough of a security breach to be worth reporting to the public, which makes me wonder how much farther this goes.
The D&C says “The customer records contain Social Security numbers, dates of birth and, in some cases, financial institution account numbers,” in other words: your bank or credit card number. And that’s certainly bad. It also raises a question: aren’t RG&E and NYSEG required to be PCI compliant? As in: not storing financial account information on their own servers in the first place?
PCI is the security standard for credit card payments online: if you cannot meet the minimum threshold of PCI compliance with your IT infrastructure, you cannot charge cards. But really, that standard includes a lot of security requirements that extend well beyond credit cards. Storing financial information on any server or system that is potentially exposed to the outside is a big no-no. Its possible NYSEG achieved PCI compliance without using a third-party credit processing system, but now that compliance is in question. Because of course: what PCI is meant to prevent has now apparently happened.