[BreachExchange] Potential data breach of unknown number of Alectra customers through Hamilton water bills

Destry Winant destry at riskbasedsecurity.com
Thu Dec 12 09:59:17 EST 2019


Hamilton is scrambling to get more information about a potential data
breach that revealed customers' names, addresses and roll numbers from
their water bills.

The city said Wednesday that there was a potential leak of information
through Alectra Utilities, which handles water billing for the city,
regarding an unknown number of customers.

City staff discovered the potential breach, said Mayor Fred
Eisenberger, and notified Alectra. Now the city will notify all
affected customers and bill Alectra for the cost.

In a statement emailed to CBC, the utility said it is "working
closely" with the city to "resolve this matter to their satisfaction."

Spokesperson John Friesen said Alectra, which handles water billing
for about 150,000 customers on behalf of the city, is not aware of
"any information being compromised" at this point.

Eisenberger said the breach may have originated off shore. City
programmers were doing work and realized that some of Alectra's third
party vendors may have access to information without the appropriate

The city says it hasn't confirmed that a privacy breach has occurred,
or that the information was used for a reason other than delivering
water services. But the public is being advised to maintain its
"normal level of vigilance" when it comes to personal information.

"This is kind of a precautionary forewarning," he said. "City staff is
still trying to come to an understanding of who and how many. What we
do know is what might have been released which is the municipal tax
roll number, name and address. Very low level stuff."

City council received a staff report this afternoon, and all but
Eisenberger and one other council member voted to make the report

The city is also notifying the Information and Privacy Commissioner of
Ontario (IPC).

Friesen said the utility will "cooperate fully" with any investigation
by the IPC, adding the company's own privacy officer has also been

More information about the BreachExchange mailing list