In February 2018, the North American Electric Reliability Corp (NERC) fined The Pacific Gas and Electric Company (PG&E) $2.7 million. The offense? A 2016 data breach that left 30,0000 sensitive records exposed online for 70 days.
For PG&E, this was a lesson in the value of protecting business data and thoroughly vetting any third-party vendors allowed near company records.
What led to the PG&E data breach and how can you avoid similar mistakes? Today, we’re diving into this saga and detailing how it unfolded.
The PG&E Data Breach: What Happened?
Back in 2016, PG&E hired a third-party vendor to develop an asset management platform. When the vendor copied data from the company’s network to their own network, important security measures were overlooked.
To access that data on the PG&E network, extensive login and authentication procedures were required. However, once copied over to the vendor’s network, such security measures were not required.
As a result, a portion of the live data, spanning roughly 30,000 pieces of information, was accessible online, away from PG&E visibility and control. It remained that way for close to 70 days.
Though PG&E speculated that no other party had downloaded or even accessed the exposed data, the damage was already done. It wasn’t until a white-hat security researcher, named Chris Vickery, alerted the utility company to the breach that they were aware of it and took action.
To regain its records and reputation, PG&E asked the security researchers to assist in data recovery efforts. Specifically, they asked them to securely return the data, securely delete any copies from their own system, and submit a signed and notarized affidavit confirming that they’d followed through with those steps.
From there, PG&E went on to communicate the breach to government regulators, though not before racking up a hefty fine that totaled nearly $3 million.
3 Lessons Learned from this Utility IT Failure
1. Hold Vendors Accountable to Following Your Processes and Procedures
It is believed that the breach wasn’t intentionally malicious, but that the vendor wasn’t completely clear on how to approach data once it left PG&E’s network.
Any time you hire a vendor, whether an ERP vendor or another type of enterprise software vendor, it’s critical to provide thorough, complete training on procedures to follow. Then, make sure the vendor doesn’t misrepresent any aspect of their approach or their level of understanding.
2. Vet Vendors’ Claims About the Type of Date They’re Using
When PG&E first responded to the breach, they explained it away. They said the vendor had assured them the asset management system didn’t contain any real data. Rather, it was filled with mocked-up data used only for development purposes, and the data was non-sensitive in nature.
The only issue with that claim? In a blog post, Vickery explained that the information he stumbled upon did, indeed, contain real elements. In fact, within the data, he found details for more than 47,000 PG&E computers. There were also records about the utility’s virtual machines, servers, and other tech devices.
Later, PG&E retracted their original claim. They said they conducted a further review, found that the vendor’s claims were false, and removed access to the records.
The NERC agreed, explaining that the exposed data contained critical cyber assets (CCAs), including:
- Servers that store user data
- Systems that control access to substations and control centers
- A supervisory control and data acquisition (SCADA) system
In the wrong hands, these CCAs could render the bulk power system vulnerable to massive security risks.
The lesson? Don’t take vendors at their word. In addition, you should put data security measures in place to ensure that critical records aren’t easily manipulated, shared, or exposed. This especially applies to data that could be considered sensitive or could place other parties at risk.
3. Regularly Update Your Information Security Plan
After acknowledging the breach and taking a server offline, PG&E took a careful look at their existing information security plan. To solve the obvious gaps, they hired digital forensic experts to help investigate and strengthen their plan.
From there, they adopted many changes to their policies, procedures, and technologies. Chief among them was implementing a new system for source code management. Moving forward, all internal parties, as well as third-party vendors, were required to use it.
When was the last time you reviewed your data security plan? Common cyber threats change on a regular basis, so it’s important to take the time to regularly fine-tune your plan to ensure both internal and external parties are trained on the latest policies.
We also recommend developing a change management plan for any new cybersecurity measures, so employees receive adequate training and communication.
Keeping Your Business Data Secure
Your business data is one of your most important assets. It’s critical to keep it protected at every turn.
Training your employees on security procedures is essential, but as the PG&E data breach shows, vendors also should be well-versed in these steps.
Whether it’s asset management software or ERP software, vigilance is important when you’re trusting a vendor to handle your records. In the case of an ERP implementation, you should thoroughly train anyone who will be handling legacy data or interfacing with the software during implementation.
Our team of ERP consultants can help keep your project secure and on track. Contact us below to learn more.