Hacker Boasts Access to Con Edison Customer and Contractor Database

A threat actor claims to have hacked Consolidated Edison (ConEdison), stealing a dataset comprising 500,000 records that expose sensitive information on customers and contractors.

ConEdison is a New York-based energy firm, one of the largest of its kind in the United States. It employs over 14,000 people, has an annual revenue that surpasses $13.5 billion, and assets worth over $62 billion. The company provides electrical power and gas transmission services to millions of customers in New York City, Westchester County, and the New York metropolitan area, as well as steam services in the Manhattan Borough. Its subsidiaries, Orange and Rockland Utilities, also serve customers in southeastern New York and northern New Jersey.

Yesterday, a threat actor on the hacker space “Breach Forums,” claimed to have hacked Consolidated Edison, stealing a database that contains 500,000 customer and contractor records. The user has shared a sample of 500 records that other forum members can access by paying a small fee.

RestorePrivacy examined the leaked files and found filled-out connection request forms and cost estimates. The files contain personally identifiable information on customers and contractors, including the following:

• Full names
• Phone numbers
• Home addresses
• Email addresses

Moreover, the documents contain unique case identifiers, payee information, cost details, work descriptions, tax information, purchase and equipment information, etc. All that information combined can be used in phishing, scamming, and social engineering attacks against ConEdison customers, like, for example, impersonating a contractor to the client and convincing them to pay bogus emergency charges.

The fact that the threat actor doesn’t mention anything about their intention to sell the full package to other cybercriminals makes this case blurry. The user might want to leak the stolen files on the forums gradually to enjoy more publicity, they might be extorting ConEdison in the background, or they might simply not hold any other data.

RestorePrivacy has contacted Consolidated Edison with a request for a comment on the authenticity of the leaked documents, the impact of the breach, and their mitigation plans.

Further reading:

• Twitter Now Acknowledges Security Bug That Exposed Data from 5.4+ Million Accounts
• Data from 2.5M LinkedIn Premium Users Freely Shared on Hacking Forum
• Air Europa is Sending Notices of a Data Breach to Customers
• 1Password Discloses Security Breach Linked to Okta
• AT&T Says It’s Investigating Claims About a Data Breach