A security researcher has accused a major California-based gas and electric provider of cybersecurity malpractice after finding an unprotected database online that reportedly contained sensitive data on more than 47,000 computers, virtual machines and servers.
Exposed by MacKeeper security researcher Chris Vickery, the database consisted of data from an asset-management system of a US firm called Pacific Gas and Electric. As noted in a blog post, the company, which claims to provide vital services to 16 million people, easily falls into the category of 'national critical infrastructure'.
Upon analysis, the database held a slew of sensitive data online without username or password protection, contained IP addresses, operating-system information, hostnames and MAC addresses – which are unique numbers assigned to computer networks.
"This would be a treasure trove for any hostile nation-state hacking group," wrote Vickery. "That's not to mention the 120 hashed employee passwords, or the plain-text NTLM, SOAP and mail passwords." For its part, PG&E's has attempted to play down the scope of the incident by claiming the database was fake – however, this has been publicly disputed by the researcher.
"I want you to also know that nearly every data breach that I find is initially claimed to be fake," he said. "It's a quick, easy excuse when your company is caught with its pants down and, if it works, you get off free and clear. But that excuse isn't going to work this time.
"Fictitious databases do not generally have areas specifically marked development, production and enterprise. Fictitious databases do not generally have more than 688,000 unique log record entries. This database did."
The concerns over the cybersecurity systems used by critical national-infrastructure firms that provide citizens across the globe with gas, oil and/or electric spiked after hackers successfully targeted a Ukrainian power grid last December. At the time, malware was injected into a power station in the Ivano-Frankivsk region of Ukraine, which left the region without electricity for several hours.
Vickery, who voiced concerns that the PG&E data could have been easily exploited by 'hostile actors', has now said he wants to turn over the downloaded database to the US Department of Homeland Security for inspection.
"To be clear, I absolutely do not believe PG&E's claim that this is all fictitious data. They sure took it down quickly after I notified them on Thursday 26 May," he said. "PG&E didn't bother to ask me if I downloaded a copy of this open, publicly exposed database. I'll tell you now that I did. I still have it."
Vickery has experience in disclosing database leaks from major firms that fail to properly configure their systems and frequently scours the Shodan search engine to do so. His previous reports have exposed firms including child-tracking website uKnowKids, dating firm BeautifulPeople and even entire governments.