Indianapolis Power and Light customer data exposed for up to four years
Technorati Tag: Security Breach
Date Reported:
12/4/07
Organization:
The AES Corporation
Contractor/Consultant/Branch:
Indianapolis Power and Light (IPL)
Victims:
Residential IPL customers from 2003 to 2007.
Number Affected:
3,000
Types of Data:
Names, addresses and Social Security numbers
Breach Description:
A recent security audit at Indianapolis Power and Light (IPL) identified certain files containing sensitive personal information about IPL residential customers was accessible through the company's public web site. Some of the files were exposed for up to four years.
Reference URL:
http://www.theindychannel.com/news/14768281/detail.html
Report Credit:
TheIndyChannel.com, Channel 6 News
Response:
From the source cited above:
The private information of thousands of Indianapolis Power and Light customers was inadvertently posted online for up to four years, officials said Monday.
The information affects 3,000 residential IPL customers from 2003 until November 2007.
IPL said the data included names, addresses and Social Security numbers that somehow ended up on an accessible server on the Internet.
Most of the information was out in the open for several weeks. Some other files were exposed for as long as four years.
A recent audit caught the error. IPL is sending out letters to affected customers and is offering a year's worth of free credit monitoring and identity theft insurance.
[Comfyllama] You may have read my comments about this before, but in case you haven't… If a person's identity expired in one year, or we all received new Social Security numbers in one year then one year of credit monitoring and identity theft insurance would be an excellent response. Don't get me wrong, it is better than nothing, but don't be fooled into thinking that this should protect you from an organizations failure to protect your data. I am not sure, but I think the onus is on the victim to sign-up for the free service. IPL probably isn't going to do it for you.
IPL also set up a hot line to deal with inquiries about the situation. The number is .
Commentary:
Is this the first such security audit that IPL has conducted? If not, then how do you explain the fact that this information was missed for up to four years? In my opinion, utility companies should not be using Social Security numbers in the first place. I understand how they do use them (i.e. reporting for collections, checking credit, etc.), but it doesn't mean I need to agree with it.
There is no mention in this brief news story about what IPL does to protect personal information. Customers should be calling with demands for answers. If IPL is going to collect personal information, what (exactly) do they plan to do to protect it? I suppose customers just assume that a reputable company would be doing the right thing. There is also no mention of whether or not IPL contacted the various internet search engines (Google, Yahoo, etc.) to have the information removed from cache, but maybe we should just keep assuming.
Past Breaches:
Unknown
Date Reported:12/4/07
Organization:
The AES Corporation
Contractor/Consultant/Branch:
Indianapolis Power and Light (IPL)
Victims:
Residential IPL customers from 2003 to 2007.
Number Affected:
3,000
Types of Data:
Names, addresses and Social Security numbers
Breach Description:
A recent security audit at Indianapolis Power and Light (IPL) identified certain files containing sensitive personal information about IPL residential customers was accessible through the company's public web site. Some of the files were exposed for up to four years.
Reference URL:
http://www.theindychannel.com/news/14768281/detail.html
Report Credit:
TheIndyChannel.com, Channel 6 News
Response:
From the source cited above:
The private information of thousands of Indianapolis Power and Light customers was inadvertently posted online for up to four years, officials said Monday.
The information affects 3,000 residential IPL customers from 2003 until November 2007.
IPL said the data included names, addresses and Social Security numbers that somehow ended up on an accessible server on the Internet.
Most of the information was out in the open for several weeks. Some other files were exposed for as long as four years.
A recent audit caught the error. IPL is sending out letters to affected customers and is offering a year's worth of free credit monitoring and identity theft insurance.
[Comfyllama] You may have read my comments about this before, but in case you haven't… If a person's identity expired in one year, or we all received new Social Security numbers in one year then one year of credit monitoring and identity theft insurance would be an excellent response. Don't get me wrong, it is better than nothing, but don't be fooled into thinking that this should protect you from an organizations failure to protect your data. I am not sure, but I think the onus is on the victim to sign-up for the free service. IPL probably isn't going to do it for you.
IPL also set up a hot line to deal with inquiries about the situation. The number is .
Commentary:
Is this the first such security audit that IPL has conducted? If not, then how do you explain the fact that this information was missed for up to four years? In my opinion, utility companies should not be using Social Security numbers in the first place. I understand how they do use them (i.e. reporting for collections, checking credit, etc.), but it doesn't mean I need to agree with it.
There is no mention in this brief news story about what IPL does to protect personal information. Customers should be calling with demands for answers. If IPL is going to collect personal information, what (exactly) do they plan to do to protect it? I suppose customers just assume that a reputable company would be doing the right thing. There is also no mention of whether or not IPL contacted the various internet search engines (Google, Yahoo, etc.) to have the information removed from cache, but maybe we should just keep assuming.
Past Breaches:
Unknown
Posted by Evan Francen at 12/6/2007 9:20 AM 
Categories: Employee Mistake, The AES Corporation, Indianapolis Power and Light
Categories: Employee Mistake, The AES Corporation, Indianapolis Power and Light
Posts Atom 1.0
Comments