The Daily Swig Web security digest

Utility companies warn over TIO data breach

James Walker | 06 December 2017 at 16:39

News of security vulnerability filters down to consumers.

Following PayPal’s announcement last week that TIO Networks, the payment processing firm it acquired in July, had suffered a data breach, two American utility companies have warned that they may have been affected by the hack.

Duke Energy, one of the largest energy holding companies in the US, yesterday issued a warning that customers who paid a bill at one of its 550 authorized walk-in payment processing centers between 2007 and 2017 may be affected by a potential compromise of personally identifiable information.

“This TIO Networks issue has possibly and unfortunately affected some of our customers, and we are doing all we can to help,” said Lesley Quick, Duke Energy’s vice president of revenue services.

“We have remained in daily contact with our vendor since they abruptly and unexpectedly disabled their network on November 10 for suspected security vulnerabilities.”

The company said the issue only affects customers who paid by check or cash at an authorized walk-in payment processing center, and not customers who paid via credit card or another form of payment.

The personally identifiable information that may have been compromised includes, name, address, Duke Energy account number and balance, and banking information, if a customer paid by check.

The North Carolina company’s announcement follows a similar warning issued last Friday by City Utilities of Springfield, Missouri.

TIO Networks was the provider of the operating system for the company’s payment kiosks and mobile payment app, and the group said it would be contacting around 9,000 potentially affected customers.

“The personal information of customers is not something we will place at risk,” said Scott Miller, general manager of City Utilities. “The ability to securely interact with the utility, or any business, is absolutely necessary.”

Vancouver-based TIO was snapped up by PayPal for $238 million in July, as part of the Silicon Valley payments giant’s global expansion program.

While the transaction was aimed at advancing the company’s ability to offer digital financial services to “tens of millions of underserved customers”, PayPal suspended TIO’s operations last month following the discovery of security vulnerabilities that were later revealed to have resulted in the personally identifiable information of around 1.6 million people being compromised.

PayPal said TIO’s services will remain offline until the company is confident in the security of its network.