DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

How do you define “finite and very small:” Peoples Gas/North Shore Gas disclose breach

Posted on December 16, 2011 by Dissent

Steve Daniels reports:

Peoples Gas and sister utility North Shore Gas have notified an undisclosed number of customers of the possible theft and potential use of personal information about them by a contract worker.

The natural gas utilities, which serve nearly 1 million customers in the city of Chicago and many northern suburbs, said in a statement that they were barred by state law from saying how many customers were affected.

They said, though, that the number is “finite and very small.” The companies said they had no information to indicate that the number of customers affected by the possible identity theft would grow.

The contracted employee has been fired and is “subject to criminal investigation and prosecution,” the companies said. They added that they notified affected customers by phone and in writing “in the most expedient time possible and without unreasonable delay as soon as we determined the scope of the situation.”

Read more from Crains. Wailin Wong of The Chicago Tribune also covers the news story.

I have not seen a copy of the actual notification to customers, but am puzzled by references to “possible” theft or “possible” misuse in light of other information, described below.

Last month, having done a bit of digging, I attempted to contact the utilities via contact form to ask them to confirm or deny that they were the unnamed utilities company in this November breach report involving an employee of iQor in Charlotte. I got no response (maybe the form didn’t submit correctly), but note that that news story and other media coverage at the time suggested that there were over 100 victims and definite misuse of customer data.

Following the new media coverage, I contacted Peoples Gas by e-mail, and a spokesperson responded, confirming that this was the same incident that had been reported last month. In a statement provided to DataBreaches.net, the spokesperson writes:

As part of the investigation, Peoples Gas and North Shore Gas have worked diligently with law enforcement agencies to identify customers that could have been affected by the breach and steps have been taken to contact these customers in the most expedient time possible, without unreasonable delay and consistent with any measures necessary to determine the scope of the breach.

This notification process is related to the incident reported recently in Charlotte. We can’t speak for the numbers that were reported there, however we complied with new Illinois law which provides more information to customers and limits disclosure of the numbers.

The new Illinois law referenced in the spokesperson’s statement is likely HB 3025, which will indeed, bar entities from disclosing the total number of Illinois residents affected. One provision  adds the following language to the state’s data breach notification law:

The disclosure notification to an Illinois resident shall include, but need not be limited to, (i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address, and website address for the Federal Trade Commission, and (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes. The notification shall not, however, include information concerning the number of Illinois residents affected by the breach.

HB 3025 does not go into effect until January 1, however, so Peoples/North Shore probably could have disclosed the numbers.

While this does not appear to be a case where tens of thousands – or even 1,000 – may be affected, if there were over 100 victims, I would not describe 100 victims as “very small.” A small percentage of their customer base, perhaps, but not a small number when you think in terms of human impact.  Others may reasonably disagree with me.

In the meantime, no indictment has yet been  filed in any federal court against the iQor employee or her boyfriend.  According to Herald Online, Hall worked for iQor in their Human Resources department. The data theft reportedly occurred in October, with reports of ID theft and fraudulent card use starting to emerge almost immediately.

Image credit: TonyTheTiger at en.wikipedia, used under Creative Commons License.

No related posts.

Category: Breach IncidentsBusiness SectorOf NoteSubcontractorU.S.

Post navigation

← HI: Tax data infiltrated by state workers (updated)
2.8k Accounts dumped from portalmercosur.com →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McDonald’s McHire leak involving ‘123456’ admin password exposes 64 million applicant chat records
  • Qilin claims attack on Accu Reference Medical Laboratory. It wasn’t the lab’s first data breach.
  • Louis Vuitton hit by data breach in Türkiye, over 140,000 users exposed; UK customers also affected (1)
  • Infosys McCamish Systems Enters Consent Order with Vermont DFR Over Cyber Incident
  • Obligations under Canada’s data breach notification law
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • DeleteMyInfo Wins 2025 Digital Privacy Excellence Award from Internet Safety Council
  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.