Pacific Gas and Electric Database Exposed
According to the U.S. Department of Homeland Security, electric utility companies are part of the nations “critical infrastructure.”
UPDATE (Jun 1st): This post has been updated to include statement from PG&E
Last week I discovered a data breach involving Pacific Gas and Electric, a very large electric utility company in California. The publicly exposed database appeared to be PG&Es asset management system. Among other things, it contained details for over 47,000 PG&E computers, virtual machines, servers, and other devices. All of it completely unprotected. No username or password required for viewing.
Follow the latest security news and data breaches at MacKeeper Security Research Center with Chris Vickery.
Were talking about IP addresses, operating systems, hostnames, locations, MAC addresses, and more. This would be a treasure trove for any hostile nation-state hacking group. Thats not to mention the 120 hashed employee passwords, or the plaintext NTLM, SOAP, and mail passwords.
Does anyone recall a recent example of hackers crippling an electric utility? I do: https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid
Before going any further I want to let you know that PG&Es IT department is trying to claim that the database was “fake”. However, I want you to also know that nearly every data breach that I find is initially claimed to be fake. Its a quick, easy excuse when your company is caught with its pants down and, if it works, you get off free and clear. But that excuse isnt going to work this time.
Fictitious databases do not generally have areas specifically marked development, production, and enterprise. Fictitious databases do not generally have over 688,000 unique log record entries. This database did.
Sure, its theoretically possible to create software that could generate massive amounts of fake data, but companies dont do that. Even if a database is for development purposes only, they tend to fill it with real production data. They do that because production data is easily available and free. Companies generally do not pay people to sit around and create great swaths of false data when plenty of data already exists to use. Ive seen it over and over again.
To be clear, I absolutely do not believe PG&Es claim that this is all fictitious data. They sure took it down quickly after I notified them on Thursday, May 26th.
PG&E didnt bother to ask me if I downloaded a copy of this open, publicly exposed database. Ill tell you now that I did. I still have it.
Ultimately, I would like to provide it to the US Department of Homeland Security so that they can 1) determine whether or not the data is genuine; and 2) take appropriate actions in the event that hostile actors also found the database.
So, if you work for DHS and youre reading this, please contact me at email@example.com if you are interested in verifying the data set and taking appropriate measures to remediate in the event that other parties also obtained a copy.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org