Yesterday, Central Hudson Gas & Electric detected an intrusion and immediately alerted customers to the possibility that their auto-pay bank account information may have been accessed. Today they just issued the following update:
Potentially Affected Customers to be Offered Free Credit Monitoring
Central Hudson is continuing its investigation into a weekend cyber-security attack within its computer network. While there is still no evidence that any customer information was downloaded or misused, the utility has now determined that the number of potentially affected customers is limited to approximately one third of its customer database.
“We will be using an automated telephone system to call all of our customers for whom we have telephone contact information to alert them as to whether they are potentially affected or not by noon tomorrow,” said Central Hudson President James P. Laurito. He stressed that no evidence has been uncovered to date that confirms that any information was transferred during the attack, and that Central Hudson is taking these notification steps as an added precaution.
“The approximately 110,000 customers whose account information was potentially affected will receive from us via U.S. mail an offer of a full year of complimentary credit monitoring as a precaution,” Laurito said. All other customers will be receiving telephone and mail notification that their account is not involved in the investigation.
Central Hudson is conducting its own investigation into the incident, and will continue to work with state and federal law enforcement officials as part of that investigation.
Their response to this breach raises some useful questions. If data were downloaded, their prompt alert is commendable and useful in helping customers protect themselves. If their investigation discovers that no data were downloaded, their alert and follow-up may needlessly worry customers. So what would you do?
And should they have rushed to offer free credit monitoring before they’ve determined whether data were downloaded? Given the cost of the service, would it have made more sense to wait a few days and say – for now – that if they determine that it was downloaded, then affected customers will be offered free services? What would you do?
Companies buy credit monitoring in bulk, which is nowhere close to the retail pricing. And if they’re half-way good negotiatiors, they are only paying for the ones that enroll. So it’s a good PR move and probably has a low cost. I mean, heck, just how many credit reporting alert services does a breached cosumer need? 🙂
Using a discount rate of $10/mo per person (and that’s a lowball estimate) and estimating that 10% of the 110,000 take them up on the offer, that would be about $1.3M for the year. I don’t consider that a low cost. After all, who’s going to pay for this eventually? If the insurer pays out and doesn’t raise the utility’s rates, okay, but otherwise it’s the customers who are eventually going to foot the bill, no?
I believe the admin is right. I have credit monitoring on and its over $12.00 a month. But I think in bulk it would be much lower. That 1.3 Mil can be divided amongst all customers, and lets say is 330,000 people. The hike would be minimal. If they recover it over a year, the increase is $4.00 for the year, or about 30 cents a month.
At least this is proactive after the fact. One doesn’t know if the intruders were caught in the act or through the grapevine, it appears they caught them. Lets hope the bad stuff has been removed and all returns to normal – minus the security.