Any kind of basic security assessment will include a scan of the system to find open ports. After finding an open port a security professional will close off the open port to the Internet.
The San Francisco Public Utilities Commission (SFPUC) could have used that advice as personal data is now in the wild after a breach at the utility.
An unsecured server that stores customer data also had some viruses on it, according to SFPUC spokesman Tyrone Jue. It’s unclear how the viruses infected the server, he said, adding “it looked like someone had found an open port on the server and dumped a bunch of viruses on it.”
A file on the server contained customer names, account numbers, addresses, phone numbers and some email addresses for SFPUC’s 180,000 customers, but did not contain any financial information, he said.
“The server was open (to the Internet) and had an encoded file on there with all of our customer data,” Jue said. The file was in plain text but the data was somewhat jumbled, making it difficult to correctly match data to specific customers, he added.
“There was no indication that any information was taken, but in the interest of caution we are notifying customers of the fact,” Jue said.
The agency sent notices out in customer bills and sent emails to anyone who had an email address that was in the file on the server, he said.
“The San Francisco Public Utilities Commission (SFPUC) recently discovered that an unauthorized third party gained access to a SFPUC computer system. We want to assure our customers that the SFPUC does not possess or require Social Security numbers, and that no tax identification numbers and banking information were compromised,” the agency said in its email. “While we believe there is limited cause for concern, we want to use this opportunity to remind our customers to always be on alert for any suspicious emails or calls requesting personal or sensitive information.”
SFPUC employees always carry identification and only enter a home when scheduled with prior customer approval, the email said.