Monday, April 15, San Francisco–Consumer groups TURN and Public Citizen today urged the Federal Energy Regulatory Commission (FERC) to reveal which western utility was penalized $2.7 million for leaving crucial data exposed online. The recipient of the penalty, which consumer groups believe is the largest ever for violations of cyber security rules, can be kept secret by FERC if revealing this information would create further security risks. But that is not the case here.
The unnamed company was accused of violating two critical infrastructure protection standards. A hacker who discovered the data reported the breach and has since destroyed the information. The unnamed utility claims the problem has been completely solved, so revealed its name would not create a risk of additional hacks.
According to a joint filing made by TURN and Public Citizen, there is no reason to keep the utility secret at this point, and the public could be harmed if the company is allowed to sweep this massive penalty under the rug.
“If local regulators don’t know which utility was penalized, there is no way to ensure that consumers don’t ultimately bear the costs for mistakes made by utility management,” said TURN staff attorney Freedman. “TURN frequently intervenes to protect consumers from unfair costs that PG&E, SDG&E, Edison and SoCal Gas are all too happy to collect in rates. We want to make sure that a penalty of this size is paid out of shareholder profits and not customer rates.”
“Consumers and shareholders need to know when companies are violating the rules and putting them at risk,” said Tyson Slocum, Energy Program Director at Public Citizen. “Especially when they are racking up repeated violation, as PG&E has with its recent federal conviction, flouting of CPUC rules, and negligent disregard of safety standards.”