"Malicious actors" have potentially been able to access customer information at the Capital Region Utility Company, Hofor. This is according to a letter sent from the utility company to customers. Ritzau is in possession of the letter sent on Thursday, April 30.
The vulnerability is that it has potentially been possible to access other customers' information by changing the number combinations in the "customer number and BS customer number" in connection with login.
- It cannot be ruled out that, for example, other customers or malicious actors could potentially have gained access to your customer information, writes Hofor.
The information that has potentially been accessed is name, address, email, date of birth, telephone number, invoice and consumption data.
- Neither your CPR number, bank information nor other forms of credit card or payment data have been accessed, writes the utility company.
Ritzau has reached out to Hofor to get an answer on how long others have been able to access customer information, and whether activity from "malicious actors" has been detected. The problem was discovered during an "internal review" on March 30.
- Hofor cannot say for sure when the potential vulnerability occurred. The login solution in question has been in operation since 2014, it says.
Tastselv Service must have a security update
Hofor supplies water, heating, city gas, district cooling and handles wastewater for more than a million customers. If a "malicious person" has gained access to customer information, the information could, among other things, be used to send fake emails that may appear to come from Hofor.
Therefore, the utility company warns in the letter about emails from outsiders wishing to obtain card information and the like.
Hofor has chosen to close the login to Tastselv Service with customer number and BS customer number while the "necessary security update" is carried out.
From mid-May, Hofor expects to expand the login process with an extra security check if you do not use Mitid, it says.
/ritzau/
Text, graphics, images, sound, and other content on this website are protected under copyright law. DK Medier reserves all rights to the content, including the right to exploit the content for the purpose of text and data mining, cf. Section 11b of the Copyright Act and Article 4 of the DSM Directive.
Customers with IP agreements/major customer agreements may only share Danish Offshore Industry articles internally for the purpose of handling specific cases. Sharing in connection with specific cases refers to journaling, archiving, or similar uses.
Customers with a personal subscription/login may not share Danish Offshore Industry articles with individuals who do not themselves have a personal subscription to Danish Offshore Industry.
Any deviation from the above requires written consent from DK Medier.
