No customer data was compromised Feb. 3 when Jefferson County Public Utility District’s website was hacked, according to PUD officials
Bill Graham, resource manager for the PUD, elaborated on …
This item is available in full to subscribers.
We have recently launched a new and improved website. To continue reading, you will need to either log into your subscriber account, or purchase a new subscription.
If you had an active account on our previous website, then you have an account here. Simply reset your password to regain access to your account.
If you did not have an account on our previous website, but are a current print subscriber, click here to set up your website account.
Otherwise, click here to view your options for subscribing.
* Having trouble? Call our circulation department at 360-385-2900, or email our support.
Please log in to continue |
|
No customer data was compromised Feb. 3 when Jefferson County Public Utility District’s website was hacked, according to PUD officials
Bill Graham, resource manager for the PUD, elaborated on earlier comments made by PUD General Manager Jim Parker, referring to the PUD site’s “third-party hosting.”
“A third-party host simply means that our website resides on another company’s server,” Graham said. “The jeffpud.org domain is managed and protected by that company.”
Graham said that the version of the Web application used to manage the site’s content – WordPress – was known to have the particular vulnerability that hackers successfully exploited Feb. 3.
“The top or latest post to the site was overwritten, apparently more than once, by someone who just wanted little more than to vandalize a website,” Graham said. “The site was victimized for less than 24 hours, and was identified by our IT manager quickly. A patch with an updated version of WordPress was applied, and the problem went away.”
As far as being a hacked, Graham reiterated Parker’s assurance that no actual customer data was taken, as no customer data resides on the jeffpud.org domain.
“Customer account information resides safe, protected and encrypted on another server, and is managed by yet another company, National Information Solutions Cooperative [NISC] ... an enterprise-level utility service provider,” Graham said. “Many PUDs in Washington state use NISC for a multitude of services, including billing, outage management services and customer payment portal services such as SmartHub, of which Jefferson uses all of the above.”
Graham said that the vandalization of the website – which simply read “hacked by NG689Skw” – did not affect any of these services, because the PUD’s customer data resides behind NISC’s “formidable security encryption” and other defenses.
“As far as we know, no one else was affected locally,” Graham said. “Clallam PUD had the same Web developer as Jefferson, but didn’t get attacked.”
Graham considers it likely that the hackers used a “spider” program, seeking Internet protocol (IP) addresses with the vulnerable versions of WordPress.
“So, geography isn’t relevant,” Graham said. “The reason we were a target was because of the WordPress vulnerability, not because we are a utility. It’s the first and only time we know of that we’ve been the victim of this kind of random attack.”
