London Hydro, a Canadian electricity utility, has disclosed a data breach in which customer names, addresses, and account details may have been exposed. The utility has been vague about the nature and scope of the intrusion, leaving significant questions unanswered. The incident highlights ongoing risks to operational technology and utility sector organisations holding sensitive customer data.

Security Architect’s Take: Review data classification and access controls for customer PII held in cloud or hybrid environments, and ensure breach notification runbooks include requirements to capture and disclose key technical indicators — vague disclosures often signal immature incident response. Consider whether your third-party utility or OT suppliers have adequate security controls and contractual obligations around breach reporting.

Original advisory: Canadian utility fesses up to data breach, but key details remain off-grid