Central Hudson Cyber Attack Investigation Progress
Yesterday, Central Hudson Gas & Electric detected an intrusion and immediately alerted customers to the possibility that their auto-pay bank account information may have been accessed. Today they just issued the following update:
Potentially Affected Customers to be Offered Free Credit Monitoring
Central Hudson is continuing its investigation into a weekend cyber-security attack within its computer network. While there is still no evidence that any customer information was downloaded or misused, the utility has now determined that the number of potentially affected customers is limited to approximately one third of its customer database.
“We will be using an automated telephone system to call all of our customers for whom we have telephone contact information to alert them as to whether they are potentially affected or not by noon tomorrow,” said Central Hudson President James P. Laurito. He stressed that no evidence has been uncovered to date that confirms that any information was transferred during the attack, and that Central Hudson is taking these notification steps as an added precaution.
“The approximately 110,000 customers whose account information was potentially affected will receive from us via U.S. mail an offer of a full year of complimentary credit monitoring as a precaution,” Laurito said. All other customers will be receiving telephone and mail notification that their account is not involved in the investigation.
Central Hudson is conducting its own investigation into the incident, and will continue to work with state and federal law enforcement officials as part of that investigation.
Their response to this breach raises some useful questions. If data were downloaded, their prompt alert is commendable and useful in helping customers protect themselves. If their investigation discovers that no data were downloaded, their alert and follow-up may needlessly worry customers. So what would you do?
And should they have rushed to offer free credit monitoring before they’ve determined whether data were downloaded? Given the cost of the service, would it have made more sense to wait a few days and say – for now – that if they determine that it was downloaded, then affected customers will be offered free services? What would you do?