Steve Daniels reports:
Peoples Gas and sister utility North Shore Gas have notified an undisclosed number of customers of the possible theft and potential use of personal information about them by a contract worker.
The natural gas utilities, which serve nearly 1 million customers in the city of Chicago and many northern suburbs, said in a statement that they were barred by state law from saying how many customers were affected.
They said, though, that the number is “finite and very small.” The companies said they had no information to indicate that the number of customers affected by the possible identity theft would grow.
The contracted employee has been fired and is “subject to criminal investigation and prosecution,” the companies said. They added that they notified affected customers by phone and in writing “in the most expedient time possible and without unreasonable delay as soon as we determined the scope of the situation.”
Read more from Crains. Wailin Wong of The Chicago Tribune also covers the news story.
I have not seen a copy of the actual notification to customers, but am puzzled by references to “possible” theft or “possible” misuse in light of other information, described below.
Last month, having done a bit of digging, I attempted to contact the utilities via contact form to ask them to confirm or deny that they were the unnamed utilities company in this November breach report involving an employee of iQor in Charlotte. I got no response (maybe the form didn’t submit correctly), but note that that news story and other media coverage at the time suggested that there were over 100 victims and definite misuse of customer data.
Following the new media coverage, I contacted Peoples Gas by e-mail, and a spokesperson responded, confirming that this was the same incident that had been reported last month. In a statement provided to DataBreaches.net, the spokesperson writes:
As part of the investigation, Peoples Gas and North Shore Gas have worked diligently with law enforcement agencies to identify customers that could have been affected by the breach and steps have been taken to contact these customers in the most expedient time possible, without unreasonable delay and consistent with any measures necessary to determine the scope of the breach.
This notification process is related to the incident reported recently in Charlotte. We can’t speak for the numbers that were reported there, however we complied with new Illinois law which provides more information to customers and limits disclosure of the numbers.
The new Illinois law referenced in the spokesperson’s statement is likely HB 3025, which will indeed, bar entities from disclosing the total number of Illinois residents affected. One provision adds the following language to the state’s data breach notification law:
The disclosure notification to an Illinois resident shall include, but need not be limited to, (i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address, and website address for the Federal Trade Commission, and (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes. The notification shall not, however, include information concerning the number of Illinois residents affected by the breach.
HB 3025 does not go into effect until January 1, however, so Peoples/North Shore probably could have disclosed the numbers.
While this does not appear to be a case where tens of thousands – or even 1,000 – may be affected, if there were over 100 victims, I would not describe 100 victims as “very small.” A small percentage of their customer base, perhaps, but not a small number when you think in terms of human impact. Others may reasonably disagree with me.
In the meantime, no indictment has yet been filed in any federal court against the iQor employee or her boyfriend. According to Herald Online, Hall worked for iQor in their Human Resources department. The data theft reportedly occurred in October, with reports of ID theft and fraudulent card use starting to emerge almost immediately.
Image credit: TonyTheTiger at en.wikipedia, used under Creative Commons License.