Unsecured cloud storage led to data exposure at New England energy company
New England's largest energy provider, Eversource, set cloud storage to open access


Eversource, New England’s largest energy supplier, exposed thousands of customers’ information following a cloud security misconfiguration.
The company is the largest utility in the region and provides electricity and gas to 4.3 million customers in Connecticut, Massachusetts, and New Hampshire.
According to a document released by cyber security firm Cyberscout, a March 16 security review revealed that one of its cloud data storage folders had been misconfigured and set to open access rather than restricted access. The files were created in August 2019.
The data exposure affected approximately 11,000 customers, and the company has notified them all.
The folder contained several files with the personal information of some Eversource eastern Massachusetts customers, including customers’ names, addresses, phone numbers, Social Security numbers, Eversource account numbers, and Massachusetts service addresses. No banking or financial information was involved.
The files were secured the very same day they were discovered, according to the company. The company’s security team said they had no indication that the personal information has been “accessed, acquired or misused by any external party.”
The company’s security team said that the exposure was unintentional and not the result of an attack or breach of Eversource systems.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Camille Charaudeau, VP of product strategy at digital risk protection company CybelAngel, told ITPro that this breach is further proof that addressing data breaches outside the corporate firewall is vital to managing your third-party risk.
“As more organizations turn to cloud providers for everything from infrastructure to apps to support employees, save money, and enable digital transformation, they are expanding their attack surface exponentially,” he said.
“Organizations must constantly scan for leaked documents outside the enterprise perimeter, including connected storage, open databases, cloud applications, and the Dark Web to detect and resolve external risks quickly, before they are exploited.”
Felix Rosbach, product manager at comforte AG, told ITPro that data breaches from cloud computing often happen because sensitive data is stored and processed in clear text form.
“While cloud service providers offer data security capabilities, the particular business is still the responsible caretaker. The increased attack surface of cloud environments makes for a potentially weak overall security posture,” he said.
“With a hybrid and multi-cloud strategy data becomes dispersed across multiple clouds as well as their own data centers. With that data security becomes even more difficult to manage. Combined with a modern DevOps culture, misconfigurations and overlooking general security requirements are becoming commonplace.”
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolen
Capita told the pension provider to “work on the assumption” that data had been stolen
By Ross Kelly
-
Gumtree site code made personal data of users and sellers publicly accessible
News Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
By Connor Jones
-
Pizza chain exposed 100,000 employees' Social Security numbers
News Former and current staff at California Pizza Kitchen potentially burned by hackers
By Danny Bradbury
-
83% of critical infrastructure companies have experienced breaches in the last three years
News Survey finds security practices are weak if not non-existent in critical firms
By Rene Millman
-
Identity Automation launches credential breach monitoring service
News New monitoring solution adds to the firm’s flagship RapidIdentity platform
By Praharsha Anand
-
Neiman Marcus data breach hits 4.6 million customers
News The breach took place last year, but details have only now come to light
By Rene Millman
-
Indiana notifies 750,000 after COVID-19 tracing data accessed
News The state is following up to ensure no information was transferred to bad actors
By Rene Millman
-
Pearson fined $1 million for downplaying severity of 2018 breach
News The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
By Rene Millman