What happened
London Hydro disclosed a data security incident that may have exposed personal and account information belonging to some customers.
The Canadian electricity provider distributes power to more than 160,000 customers in and around London, Ontario. The utility said it is investigating the incident and has started notifying affected customers.
The potentially exposed information includes names, addresses, email addresses, phone numbers, account and billing numbers, service addresses, pricing plans, contract start dates, and meter information.
London Hydro said the incident did not involve banking information, payment card details, dates of birth, government-issued identification numbers, or other sensitive financial data.
The utility has not disclosed when the intrusion was discovered, how the incident occurred, whether data was stolen or only accessed, how many customers were affected, whether ransomware or extortion was involved, whether a third party was implicated, or whether operational or grid-related systems were touched.
London Hydro said the technical issue that led to the incident has been identified and fixed. The company also said it is proactively contacting impacted customers and working with local law enforcement.
Who is affected
Some London Hydro customers may be affected by the breach.
The exposed information may include customer names, addresses, email addresses, phone numbers, account and billing numbers, service addresses, pricing plans, contract start dates, and meter information.
Although banking details, payment card data, birth dates, and government identification numbers were not involved, the exposed account and contact information could still be used to make phishing messages, fake utility bills, payment demands, or customer service impersonation attempts more convincing.
Why CISOs should care
This incident highlights how utility customer data can create meaningful risk even when financial information and government IDs are not exposed. Account numbers, billing details, service addresses, pricing plans, and meter information can help attackers impersonate a utility or craft more convincing fraud attempts.
For CISOs in utilities and critical infrastructure, the unanswered operational questions are also important. London Hydro has not publicly disclosed whether operational technology, grid systems, vendor systems, or ransomware activity were involved. During utility incidents, organizations need to quickly establish whether the event is limited to customer information or may also affect operational resilience.
The case also reinforces the importance of customer communications after a breach. When utility account information is exposed, customers need clear guidance on suspicious bills, payment changes, account activity, and messages requesting banking details.
3 practical actions
- Treat utility account data as sensitive information: London Hydro said exposed data may include account and billing numbers, service addresses, pricing plans, contract start dates, and meter information. CISOs should classify utility and service account data as sensitive because it can support targeted impersonation and fraud.
- Separate customer systems from operational environments: The public disclosure does not confirm whether grid or operational systems were affected. Utilities should maintain strong segmentation, logging, and incident scoping processes so customer data incidents can be separated from operational technology risk quickly.
- Prepare customer fraud warnings after account data exposure: London Hydro warned customers to watch for suspicious communications, unexpected bills, unfamiliar account activity, or requests to change payment arrangements. Organizations should issue clear guidance reminding customers that legitimate providers will not ask for banking details by email, phone, or SMS.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.