London Hydro Data Breach Exposes Customer Account Details, Key Questions Remain Unanswered
Canadian utility London Hydro disclosed a data breach potentially exposing customer names, addresses, and account numbers, but has not revealed the attack vector or whether operational systems were affected.
London Hydro, the electricity distributor serving more than 160,000 customers in and around London, Ontario, disclosed on Saturday that it is investigating a data security incident that may have exposed personal information on some customer accounts. The utility has begun notifying affected individuals, but has provided few technical details about the breach, leaving customers and security experts with more questions than answers.
The potentially exposed data includes names, addresses, email addresses, phone numbers, account and billing numbers, service addresses, pricing plans, contract start dates, and meter information. London Hydro emphasized that no banking information, payment card details, dates of birth, government-issued identification numbers, or other sensitive financial data were compromised. However, the exposed account details are sufficient to enable convincing phishing attacks, such as fake utility bills or payment demands, targeting customers.
London Hydro has not disclosed what systems were compromised, how the incident occurred, whether data was exfiltrated or merely accessed, or how many customers are affected. The company also has not confirmed whether ransomware or extortion was involved, whether any third-party systems were implicated, or whether operational technology or grid systems were touched during the incident. The Register reached out to London Hydro for comment but had not received a response at the time of writing.
The utility is warning customers to watch for suspicious communications, unexpected bills, unfamiliar account activity, or requests to change payment arrangements. It reminded customers that it does not ask for banking details by email, phone, or SMS. The incident remains under investigation, and London Hydro has not provided a timeline for when more details might be released.
This breach highlights the growing threat to critical infrastructure from cyberattacks that target customer data rather than operational systems. While the immediate risk to the power grid appears low, the exposure of account information could lead to fraud and identity theft. The lack of transparency from London Hydro is concerning, as it prevents customers and the broader security community from fully assessing the risk. The incident underscores the need for utilities to have robust incident response plans and to communicate clearly with stakeholders during a crisis.