Hydro-Québec, the province's primary electricity utility serving millions of customers, discovered that customer personal information had been compromised through a vulnerability in a third-party service provider's systems. The April 2023 incident exposed sensitive data and highlighted the critical importance of supply chain security in critical infrastructure protection.
What Happened
In April 2023, Hydro-Québec identified unauthorised access to customer data through systems operated by a contracted third-party service provider. The third party, which provided customer service platform and billing system support, had failed to properly patch a known vulnerability in their infrastructure. Threat actors exploited this vulnerability to gain access to Hydro-Québec customer data stored on the provider's servers.
The breach was discovered during routine security audits conducted by Hydro-Québec. The utility immediately engaged external forensic investigators to determine the scope of the incident and notify affected customers. Investigation revealed that the compromised systems had been accessible to threat actors for approximately six weeks before detection.
Scope and Affected Data
Hydro-Québec reported that approximately 2.3 million customer records were potentially exposed, including:
- Customer names and residential addresses
- Account numbers and billing information
- Email addresses and phone numbers
- Energy consumption data and utility usage patterns
- Some customers' financial information from payment records
Notably, Social Insurance Numbers were not stored in the compromised systems. However, the combination of personal and financial information exposed posed significant identity theft and fraud risks. The utility serves both residential and commercial customers across Québec, representing one of the largest customer bases for any Canadian utility provider.
Impact on Customers and Operations
Customers affected by the breach faced increased risk of identity theft, phishing attacks, and potentially targeted fraud. The exposure of account numbers and billing information could allow threat actors to impersonate customers when contacting Hydro-Québec or attempting to modify account settings.
Energy consumption data exposure also raised privacy concerns, as detailed usage patterns could reveal customer routines and household composition. Security researchers noted that such information could be valuable for physical security threats targeting high-value customers.
Hydro-Québec's operations were not significantly disrupted by the breach, as the compromise affected customer service systems rather than critical operational technology controlling power generation and distribution. This separation of systems limited the potential impact on electricity service continuity.
Hydro-Québec's Response
Following discovery of the breach, Hydro-Québec implemented comprehensive response measures:
- Immediately terminated access to the third-party provider's systems and conducted a complete security assessment
- Notified all affected customers via mail and email about the breach and recommended protective actions
- Offered complimentary credit monitoring and identity theft protection services for two years
- Collaborated with Québec's privacy commissioner and law enforcement to investigate the incident
- Implemented enhanced contractual security requirements for all third-party service providers
- Conducted comprehensive vendor security audits across all critical service providers
Lessons Learned
The Hydro-Québec breach exemplifies the critical importance of supply chain security, particularly for organisations handling sensitive customer data. Third-party service providers often have access to data equivalent to what internal systems hold, yet may operate with less stringent security standards. Critical infrastructure operators must implement robust vendor management programs that include regular security assessments, vulnerability scanning requirements, and mandatory patch management protocols.
The incident demonstrates that even large, well-resourced organisations can be vulnerable through their supply chain partners. The six-week detection window highlights the necessity for continuous monitoring and anomaly detection systems that can identify suspicious data access patterns in real-time.
How CyberSafe Can Help
CyberSafe's Cyber Defense Services help utilities and critical infrastructure providers implement comprehensive supply chain security programmes. Our Vendor Risk Assessment Services evaluate third-party security posture and ongoing compliance. Through Managed Security Services, we provide continuous monitoring of critical systems to detect compromise in real-time and minimise exposure windows.