Security Experts:

Database of California Electric Utility Exposed Online

A researcher reported finding an unprotected database belonging to Pacific Gas and Electric (PG&E), a major natural gas and electric utility based in California. The database contained a lot of potentially sensitive information, but the company initially claimed the data was “fake.”

MacKeeper researcher Chris Vickery, who has spent the past months identifying misconfigured databases that had been publicly accessible online, said the PG&E database he discovered appeared to be part of an asset management system and it contained information on 47,000 computers, servers, virtual machines and other devices belonging to the company.

The exposed information, which could have been accessed by anyone without authentication, included IP addresses, hostnames, MAC addresses, locations, operating system data, and over 100 employee passwords. While some of the passwords were hashed, the expert also found ones stored in clear text.

PG&E told Vickery that the unprotected database was fake, but the researcher doubts this is the case, especially since it also included more than 688,000 unique log entries.

“Sure, it’s theoretically possible to create software that could generate massive amounts of fake data, but companies don’t do that. Even if a database is for development purposes only, they tend to fill it with real production data. They do that because production data is easily available and free. Companies generally do not pay people to sit around and create great swaths of false data when plenty of data already exists to use. I’ve seen it over and over again,” Vickery said in a blog post. “To be clear, I absolutely do not believe PG&E’s claim that this is all fictitious data.”

In a statement sent to SecurityWeek after the publication of this article, a PG&E spokesperson confirmed that the database was not fake, as the company initially believed:

· With this incident, it is important to know that none of PG&E’s systems were directly breached in any way and no customer or employee data was involved.

 

· A PG&E vendor was hosting an online demonstration using PG&E asset management data to show the capabilities of a platform that they were developing for us. This data contained information on PG&E’s technology assets, such as computers and servers.

 

· This data was exposed online by the vendor and was discovered by a third-party researcher. That researcher contacted PG&E security and was unintentionally misinformed that the data was non-sensitive, mocked-up data. We based this feedback on an initial response from the vendor stating that the information in the database was demo or “fake” data. Following further review, we learned that the data was not fake, removed it, and contacted the researcher to correct our statement.

 

· We continue working with all of our vendors to have appropriate procedures in place at all times to protect PG&E data in those instances when they have it.

The researcher said the database was quickly taken down on May 26 after he notified PG&E, but he made a copy of the data, which he plans on providing to the Department of Homeland Security (DHS).

The DHS is interested in incidents involving electric utilities since these types of organizations are considered part of the country’s critical infrastructure. The DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) revealed in January that of the 245 incidents reported to the agency in the fiscal year 2015, 16 percent affected the energy sector.

PG&E is not the first power company to be called out by researchers over poor security practices. Last year, researcher Randy Westergren discovered some serious vulnerabilities in the Android app of Delmarva Power, a company that provides electricity and gas to 1.4 million people in Delaware and Maryland.

Companies in the UK have also made the news due to their weak security practices. British Gas, one of the country’s biggest energy suppliers, had its Twitter account hacked in 2014, and last year it revealed that it intentionally made its online services incompatible with password managers.

*Updated with statement from PG&E

Related Reading: US Electric Grid - America the Vulnerable

Related Reading: Oil and Gas Industry Increasingly Hit by Cyber-Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.