SF utilities agency warns of potential breach

The San Francisco Public Utilities Commission says customer data was on a server that had malware on it.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

The San Francisco Public Utilities Commission is warning its customers that their personal data may have been exposed in a recent breach, an SFPUC spokesman told CNET today.

SFPUC noticed a few weeks ago that an unsecured server that was storing customer data also had some viruses on it, according to spokesman Tyrone Jue. It's unclear how the server got infected with the viruses, he said, adding that "it looked like someone had found an open port on the server and dumped a bunch of viruses on it."

A file on the server contained customer names, account numbers, addresses, phone numbers and some e-mail addresses for SFPUC's 180,000 customers, but did not contain any financial information, he said.

"The server was open (to the Internet) and had an encoded file on there with all of our customer data," Jue said. The file was in plain text but the data was somewhat jumbled, making it difficult to correctly match data to specific customers, he added.

"There was no indication that any information was taken, but in the interest of caution we are notifying customers of the fact," Jue said.

The agency has been sending notices out in customer bills and sending e-mails to anyone who had an e-mail address that was in the file on the server, he said.

"The San Francisco Public Utilities Commission (SFPUC) recently discovered that an unauthorized third party gained access to a SFPUC computer system. We want to assure our customers that the SFPUC does not possess or require Social Security numbers, and that no tax identification numbers and banking information were compromised," the agency said in its e-mail, which was obtained by CNET. "While we believe there is limited cause for concern, we want to use this opportunity to remind our customers to always be on alert for any suspicious e-mails or calls requesting personal or sensitive information."

SFPUC employees always carry identification and only enter a home when scheduled with prior customer approval, the e-mail said.