If your utility handles customer data, you need to be prepared for the possibility of a cyberattack. At the beginning of September, a water utility in Margate, Florida was hacked and customer data for approximately 70 customers was compromised. The hacker appropriated credit and debit card information, using funds for several purchases. The Secret Service was called in to investigate. Ultimately, a team from the nearby city of Deerfield was called in to assist. They located the virus and were able to remove it quickly.
Although it is not entirely clear whether the website was hacked or data was compromised somewhere along the payment process, authorities are urging water utilities to be aware of the threat of cyberattacks and to act accordingly to protect customer data.
How can you do that? Here are some recommendations from the Federal Trade Commision (FTC) on how you can take steps to protect your customer�s data:
- Only ask for the information that you need: If your business doesn�t need information to offer the appropriate service to your customer, don�t ask for it. For example, if you don�t use email for correspondence, don�t ask for email addresses.
- Purge information you have no use for: The FTC advises that you only hold on to information for as long as you have a legitimate business need. If the information is no longer of use to your utility, don�t keep it.
- Restrict access to customer data: Not everyone in your utility should be able to access customer data. There is no need for an operator to have customer credit card information, but an associate who handles billing would need to be able to access that data. Restrict access to important data to only those within your organization who may have a need to access it. Also, make sure you properly train those employees on appropriate usage of customer data to avoid breaches.
- Require strong passwords: Strong authentication procedures helps keep customer data safe. Predictable passwords don�t provide much protection of customer data. Require that customers choose a password that
- Uses a combination of letter, numbers, and special characters
- Uses a combination of uppercase and lowercase letters
- Avoids common phrases like qwerty or 1234Check out these tips from PCMag for creating strong passwords.
- Set your system so that customers are locked out after a certain number of unsuccessful attempts to access an account: By disabling an account after a certain number of failed attempts, you prevent hacks from software designed to try different password combinations until access is gained.
- Test your system for vulnerabilities: Try to hack your own system. This will reveal vulnerabilities that a hacker could use to access customer data. Don�t forget your SCADA system. Check out these tips for improving the security of your SCADA system.
- Encrypt customer data: You can take measures to protect customer data on your end, but what about sending customer data as part of the payment process? Encryption protects data as it digitally weaves its way to another location.
- Protect customer data at all times: Protect customer data when it comes from the customer, when you store it on your systems, and when you send it off for any other purpose. Data doesn�t stay in just one place. Make sure that all information is secure at all times, regardless of where it is stored.
- Implement sound coding practices: Make sure your IT department, whether it�s a third-party service or a renegade team of one, implements proper coding to secure your customer�s data. When in doubt, seek out a professional service to ensure you are using industry best practices to secure data.
- Keep your systems up to date and consistently check your security measures: Perform regular software updates to ensure all systems are working properly and are making use of current security protocols. Perform regular checks to make sure all security measures are properly functioning.
You have an obligation to your customers to protect their information the best that you can. For more information on securing customer data, check the FTC website.