Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Database of California Electric Utility Exposed Online

A researcher reported finding an unprotected database belonging to Pacific Gas and Electric (PG&E), a major natural gas and electric utility based in California. The database contained a lot of potentially sensitive information, but the company initially claimed the data was “fake.”

A researcher reported finding an unprotected database belonging to Pacific Gas and Electric (PG&E), a major natural gas and electric utility based in California. The database contained a lot of potentially sensitive information, but the company initially claimed the data was “fake.”

MacKeeper researcher Chris Vickery, who has spent the past months identifying misconfigured databases that had been publicly accessible online, said the PG&E database he discovered appeared to be part of an asset management system and it contained information on 47,000 computers, servers, virtual machines and other devices belonging to the company.

The exposed information, which could have been accessed by anyone without authentication, included IP addresses, hostnames, MAC addresses, locations, operating system data, and over 100 employee passwords. While some of the passwords were hashed, the expert also found ones stored in clear text.

PG&E told Vickery that the unprotected database was fake, but the researcher doubts this is the case, especially since it also included more than 688,000 unique log entries.

“Sure, it’s theoretically possible to create software that could generate massive amounts of fake data, but companies don’t do that. Even if a database is for development purposes only, they tend to fill it with real production data. They do that because production data is easily available and free. Companies generally do not pay people to sit around and create great swaths of false data when plenty of data already exists to use. I’ve seen it over and over again,” Vickery said in a blog post. “To be clear, I absolutely do not believe PG&E’s claim that this is all fictitious data.”

In a statement sent to SecurityWeek after the publication of this article, a PG&E spokesperson confirmed that the database was not fake, as the company initially believed:

· With this incident, it is important to know that none of PG&E’s systems were directly breached in any way and no customer or employee data was involved.


· A PG&E vendor was hosting an online demonstration using PG&E asset management data to show the capabilities of a platform that they were developing for us. This data contained information on PG&E’s technology assets, such as computers and servers.


· This data was exposed online by the vendor and was discovered by a third-party researcher. That researcher contacted PG&E security and was unintentionally misinformed that the data was non-sensitive, mocked-up data. We based this feedback on an initial response from the vendor stating that the information in the database was demo or “fake” data. Following further review, we learned that the data was not fake, removed it, and contacted the researcher to correct our statement.


· We continue working with all of our vendors to have appropriate procedures in place at all times to protect PG&E data in those instances when they have it.

The researcher said the database was quickly taken down on May 26 after he notified PG&E, but he made a copy of the data, which he plans on providing to the Department of Homeland Security (DHS).

The DHS is interested in incidents involving electric utilities since these types of organizations are considered part of the country’s critical infrastructure. The DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) revealed in January that of the 245 incidents reported to the agency in the fiscal year 2015, 16 percent affected the energy sector.

PG&E is not the first power company to be called out by researchers over poor security practices. Last year, researcher Randy Westergren discovered some serious vulnerabilities in the Android app of Delmarva Power, a company that provides electricity and gas to 1.4 million people in Delaware and Maryland.

Companies in the UK have also made the news due to their weak security practices. British Gas, one of the country’s biggest energy suppliers, had its Twitter account hacked in 2014, and last year it revealed that it intentionally made its online services incompatible with password managers.

*Updated with statement from PG&E

Related Reading: US Electric Grid – America the Vulnerable

Related Reading: Oil and Gas Industry Increasingly Hit by Cyber-Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

CommandK announced that it has raised $3 million in a seed funding round for a solution designed to help organizations secure sensitive data.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...