Q. What happened, and what type of information is affected?
A.Central Hudson employees uncovered the incident on Tuesday, Feb. 19, as a result of regular control procedures. We discovered that information regarding some customers had the potential to have been accessed via a cyber-security incident over that previous weekend. An investigation by a forensic computer expert found no evidence that information was downloaded or misused, but Central Hudson continues to err on the side of caution in recommending to customers that they remain vigilant regarding their credit.
The investigation conducted by an expert forensic computer firm on Central Hudson’s internal systems confirmed that the incident was the result of malware that infiltrated Central Hudson’s information systems during or prior to September 2012 but likely lay dormant until earlier this year. The malware, which Central Hudson personnel discovered and disabled on February 19, 2013, was designed to seek out and export information. While the potential exists that information contained on the front of bank checks was exported, it cannot be confirmed what, if any, information was ever actually transferred.
Q. Who is affected by this cyber-incident?
A. Information for approximately one-third of Central Hudson’s customers has the potential to have been accessed.
Q. How is Central Hudson communicating to customers?
A. Customers for whom we have telephone contact information were called by an automated telephone system to alert them as to whether there is the potential that their information may or may not be involved, and a follow-up letter was sent. We are also communicating on social media, our website, and through the news media.
Q. What protections is Central Hudson offering customers who may be affected?
A. Customers who may be potentially affected received the option of enrolling in one year of credit monitoring and identity theft services from Experian at no charge. These eligible customers received a letter outlining the enrollment process.
Q. What do I need to do as a potentially affected customer?
A. You have the option to enroll in one year of credit monitoring and identity theft protection through Experian at no charge. As a precaution, you may also wish to monitor your bank accounts for suspicious or unauthorized activity. Contact local law enforcement and your bank if unauthorized activity is suspected.
Q. Central Hudson has informed me that I am not at risk. Is there anything I should be doing?
A. You should have no concerns about this cyber incident.
Q. Is Central Hudson going to reimburse for losses that are due to this attack?
A. Potentially impacted customers received enrollment instructions for a full year’s worth of free credit monitoring protection. Those who enroll and are impacted will work through the program to be reimbursed for losses if eligible. Eligible customers received enrollment instructions by U.S. Mail but they must sign up by June 30, 2013, in order to be covered. The coverage is retroactive until February 15, 2013, and will extend until June 16, 2014; it will cover all verifiable claims, providing that customers enroll and file fraud complaints promptly. If you are potentially impacted, the identity theft protection comes with $1 million in protection for personal losses (note this is only for residential customers). See above; you must enroll in order to be covered by the plan.
Q. What will the credit monitoring include?
A. For those customers whose information was potentially involved, we have made arrangements to offer them via U.S. Mail the opportunity to enroll in a year's worth of free credit monitoring from Experian. Those who enroll will receive the following:
- Credit Report: A free copy of their Experian credit report
- Daily 3 Bureau Credit Monitoring: Alerts them of suspicious activity including new inquiries, newly opened accounts, delinquencies, or medical collections found on your Experian, Equifax® and TransUnion® credit reports. (alerts can be phone, email, text)
- Identity Theft Resolution: If they have been a victim of identity theft, they will be assigned a dedicated, U.S.-based Experian Identity Theft Resolution Agent who will walk them through the fraud resolution process, from start to finish.
- ExtendCARE: Full access to the same personalized assistance from a highly trained Fraud Resolution Agent even after your initial ProtectMyID membership expires.
- $1 Million Identity Theft Insurance*: As a ProtectMyID member, they are immediately covered by a $1 Million insurance policy that can help them cover certain costs including, lost wages, private investigator fees, and unauthorized electronic fund transfers.
Q. If more than one family member or person (not necessarily a family member) in the household pays the Central Hudson bills will Central Hudson be offering credit monitoring to each?
A. No, only one person in the household is eligible for the credit monitoring. Under certain scenarios, we can make exceptions if we think it is necessary to do so.
Q. If after the year free enrollment is over, can customers reapply?
A. Yes, Experian will notify you on how to renew for a fee prior to the expiration of the year membership.
Q. Why is Central Hudson offering credit monitoring if no information has been determined to have been downloaded?
A. It is important to us to offer services to protect our customers. We prefer to err on the side of caution.
Q. How does Central Hudson protect its systems from this type of attack now and in the future?
A. Central Hudson uses a variety of security measures to protect customer information, and we regularly adapt these controls to respond to changing requirements and advances in technology. A team of employees is also dedicated to cyber security, and we work with electric and natural gas industry groups to enhance our cyber-security systems. We take this issue very seriously.
Q. Will Central Hudson notify customers once the investigation is complete?
We take this incident very seriously, and we will continue to add new safeguards and procedures to further bolster our cyber security systems. Those steps include isolating computers with sensitive data from the internet, changing password protocols, educating employees about how to identify security issues, updating software patches, and auditing security procedures to continually improve them.
A. Central Hudson’s internal investigation is complete; law enforcement officials will continue to complete their external investigation. Central Hudson will notify all potentially impacted customers by mail of the results of the investigation during April 2013.
Q. What protections does Central Hudson provide to its customers’ sensitive payment information?
A. Central Hudson is in full compliance with all state and federal laws regarding processing customer payments, including those contained within the Check Clearing for the 21st Century Act (Check 21).