About 370,000 Duke Energy customers in the Carolinas, including in Charlotte, may have had addresses, banking data and other personal information exposed in a potential data breach stretching back to 2008, a company spokesman said Tuesday.
Ryan Mosier said the Charlotte-based utility learned Nov. 10 of the potential breach affecting a vendor that processes in-person payments from Duke customers. Mosier said the vendor is TIO Networks, a publicly traded payment processor acquired in July by PayPal.
PayPal has said the potential compromise involves personally identifiable information for roughly 1.6 million customers.
Of that figure, approximately 374,000 are Duke customers who pay their utility bills at locations like convenience stores that accept the payments, Mosier said. The customers potentially affected are in Duke Energy Carolinas’ service territory, which mostly covers the western Carolinas, he said.
“Some of the information that was potentially compromised would include what you would expect in bill payments: name, address, their Duke Energy account number, perhaps some banking information as well,” Mosier said. Duke Energy also said the information may also have included Duke account balances.
Duke Energy Carolinas serves about 2.5 million customers. That means the potential breach may have impacted as many as 15 percent of those people.
Mosier said the company understands the situation is frustrating for customers. Duke is working with TIO to better understand what happened, Mosier said, adding that Duke wants to work with customers to make sure they are able to still pay their bills on time.
The disclosure follows a growing list of large data breaches at major companies in recent years, including Equifax, Yahoo, Target and Uber. In some cases, companies have been criticized for not disclosing breaches sooner, prompting calls for change.
Last week, Sen. Bill Nelson, a Florida Democrat, said he filed legislation requiring companies to quickly notify consumers of a data breach. The legislation would also impose new criminal penalties for executives who try to deliberately conceal breaches, Nelson said.
In the latest case, PayPal said Friday TIO had begun working with companies it services to notify potentially affected individuals.
PayPal also said it is working with a consumer credit reporting agency to provide free credit-monitoring memberships. Individuals who are affected will be contacted directly and receive instructions to sign up for monitoring, PayPal said.
Duke said customers who might be affected are those who paid bills by check or cash at one of the company’s 550 walk-in payment centers between 2008 and 2017. Duke said TIO Networks will begin notifying customers in letters that will come from TIO Networks.
Duke Energy Carolinas customers can continue to make in-person payments at any Western Union location, Duke said. The company said it entered into an agreement with Western Union after TIO Networks suspended its payment system last month after the discovery of security vulnerabilities on TIO’s platform.
Customers who believe they may be impacted or have questions can also visit tionetworks.com for more information.
Duke Energy did not issue its own press release until Tuesday afternoon. Duke didn’t feel it was necessary, Mosier said, since PayPal was responsible for communicating about the issue.
But the head of Charlotte’s Better Business Bureau had some concerns.
While it appears that Duke is under no legal obligation to publicly disclose the potential breach, it would be good business practice if the company told its customers of the problem sooner, said Tom Bartholomy, president of the Better Business Bureau of Southern Piedmont and Western N.C.
“Nobody’s going to know who TIO is,” Bartholomy said. “Technically, legally (Duke’s) done exactly what they need to do. (But) if there’s anything we’ve learned through all these data breaches and hacks, it’s transparency. Part of trusting a company is them being transparent.”