Wednesday, July 24, 2024

Eversource Energy work is done in Cambridge on March 23. (Photo: Marc Levy)

All 1.8 million Massachusetts customers of electricity and gas utility Eversource Energy were affected by a recent data breach that is part of a worldwide hack that has hit hundreds of companies and millions of people. The Eversource customers had their name, address, contact information and Eversource account and usage information taken, but not their Social Security numbers, according to an email notifying customers Aug. 28.

A smaller number of customers who were part of the utility’s separate solar incentive program had their Social Security numbers taken, Eversource spokesperson Christopher McKinnon said. He declined to give the number of customers affected, saying that Massachusetts law prohibits disclosure of that information when a Social Security number is involved.

The Eversource vendor involved in the breach, though, reported to the state that almost 11,000 customers were victims who had their Social Security numbers taken.

MOVEit is a file transfer program developed by Progress Software, based in Massachusetts. The hack of that program has affected more than 600 organizations and almost 40 million people worldwide, and experts expect the effects to continue, according to a Reuters report.

The hack recently hit the Eversource vendor, CLEAResult, “that Eversource uses to administer solar incentive, energy efficiency and electric vehicle-grid modernization programs,” McKinnon said. The vendor also administers the solar incentive program, separately from the larger energy efficiency program, he said.

For the energy efficiency program, CLEAResult used customer account and use information “to administer Mass Save energy efficiency programs for the benefit of Massachusetts utility customers,” McKinnon said.

“We take seriously the security of our customers’ information, and we continue to review the security controls of all contractors while taking appropriate protective security measures for Eversource systems to protect customers,” he said.

CLEAResult, based in Austin, Texas, says it is the largest provider of energy efficiency, energy transition and decarbonization solutions in North America. The company reported to the Massachusetts Office of Consumer Affairs on Wednesday that 10,964 customers had been affected by a data breach that involved Social Security numbers, according to the agency’s database of reports. McKinnon said those were the Eversource solar incentive program customers.

McKinnon said: “It is common for scammers to target customers following incidents like this, and we encourage our customers to remain vigilant by reviewing their account information and statements while being wary of scam activities and communications.” He provided a link to an Eversource webpage with tips on avoiding scams.

The utility is not providing credit monitoring to its total customer base, which did not have Social Security information taken, but CLEAResult is offering free identity theft monitoring to the solar incentive program participants.

CLEAResult was involved in a similar data breach involving customers of National Grid, the former Massachusetts Electric Co. utility that also serves New York and Rhode Island. National Grid, which announced the breach, said customers’ names, contact information, account numbers and use information had been exposed, but not passwords or financial data, The Boston Globe reported last week.