By Staff
February 15th, 2025
BURLINGTON, ON
On Friday, February 14th – Valentine’s Day – a number of Burlington residents received a “you are loved” notice from Burlington Hydro. The notice alerted the Hydro customers that they had been “kissed; that there had been a data breach and their private information had been unlawfully accessed. An anonymized copy of the letter follows:
Some Hydro customers didn’t take much comfort or assurance from the letter.
The notice covers all the mandatory statutory elements of a notification of privacy breach (as defined by Ontario’s Information and Privacy Commissioner) but it is rather light on background information or on helpful follow-up links. In fact, if you do contact Burlington Hydro you will discover that their Customer Support organization is closed until February 18th, after the Family Day holiday.
What is disturbing or, at the very least needs further clarification, is the second paragraph of the notice – “On January 22nd, 2025, our third -party customer information system vendor made us aware that it experienced a data breach from an unauthorized user to its system. We want to assure you that the issue was quickly contained, and the impacted system is secure and there is no ongoing unauthorized access to any data.”
First, despite the date on the letterhead, it is over 3 ½ weeks from the date of the breach until the first notice to affected customers. And Burlington Hydro used snail mail to the exclusion of other, more immediate means. They have, after all, the email addresses of their customers. In an age when misuse of personal information can occur in milliseconds, this delay is simply far too long.
Secondly, and potentially far more concerning is the statement “our third -party customer information system vendor”. In other words, Burlington Hydro is saying that the customer information database is on a system held (and operated?) by a third party. Who is this “third party” and where are they located? Have they been properly vetted? How remote are they to Burlington Hydro operations? Are they in the USA and subject to all the regulations around trans-border data flows? These are serious questions.
Mayor Meed Ward is a member of the Hydro Board with a C Dir certification that was paid for by Burlington Hydro.
I suppose that we must wait until next Tuesday, at the earliest, for answers. Not surprisingly, there is nothing on the city website, although the breach would have been reported to COB as soon as Burlington Hydro was made aware. We should remember that Mayor Meed Ward sits on the Burlington Hydro Board of Directors.
I never look at my recurring bills, they get automatically withdrawn from an account specifically set up for such things; I checked online and everything seems to be OK but e-mailed them to get some sense of my risk, the reply was a nothing to worry about check your account regularly kind of word salad; I don’t want to be involved, it was your job to protect me, there’s probably hundreds of you doing things that are of no interest to me whatsoever.
Burlington Hydro hides behind layers of bureaucracy, using corporate jargon to justify skyrocketing rates while failing at the most basic responsibility—protecting customer data.
Wouldn’t it be nice to see the compensation plans for all those on the “leadership” team and how much those plans have increased or had large bonuses included over the last 5 years as hydro rates have almost doubled.
What are the chances of the hackers pay my hydro bill for me? Yeah I didn’t think so but was hoping.
This is happening more and more.
I received an email in November telling me that there had been a data breech in the company that administered the drug Lapelga Pegfilgrastim. The breech had taken place in April.
This breech did not affect me because I am retired and don’t have to work. For those who are still working it could be the reason why they could not get a job they had applied for.
This drug is used for health conditions and this information should not have been made public.
There are not enough safety measures in place to protect the public.