A US-based power company has agreed to pay a $2.7 million penalty after inadvertently exposing sensitive data online and violating energy industry cybersecurity standards.
According to an
electronic filing by the North American Electric Reliability Corporation (NERC) on Feb. 28, the unnamed utility reached the settlement with power regulators despite neither admitting nor denying the violations.
The notice made to the Federal Energy Regulatory Commission (FERC) states the power company received a report from a security researcher who had discovered more than 30,000 asset records online, including information such as IP addresses and server host names.
“The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords,” read the notice
....
....
....
