Frequently Asked Questions
Q1. What happened?
An employee at an independent software development consulting firm (contracted by NYSEG and RG&E) allowed unauthorized access to an internal customer information system. There is no evidence that any customer data has actually been misused, or that there was any malicious intent.
Q2. What kind of customer information was accessed?
The customer records contain Social Security numbers, dates of birth and in some cases, financial institution account information. There is no evidence that any customer data has actually been misused, or that there was any malicious intent. Out of an abundance of caution, we are contacting all of our customers to notify them of the incident, providing help line support and offering all customers the option of a credit monitoring service for a year at no charge.
Q3. When did it happen?
We learned of the unauthorized access earlier this month and acted very quickly to disable access to our system for the employee of the contractor and conduct an internal investigation to determine exactly what had occurred. We consulted with law enforcement and engaged computer forensics experts.
Q4. Who may be affected by this situation?
While it is important to remember that there is no evidence that any customer data has actually been misused, we have notified all NYSEG and RG&E residential, commercial and industrial customers in NYSEG’s 42 counties in upstate New York and RG&E’s nine-county service area centered on the City of Rochester. Customers at our sister company – Central Maine Power – are not affected by this situation.
Q5. How did NYSEG and RG&E discover this unauthorized access?
We take our obligation to protect customer information very seriously. As part of our routine monitoring process, we found irregular activity on our system. We quickly identified the contractor who allowed the unauthorized access. The user has been cooperative and we have no evidence that this data has actually been misused, or that there was any malicious intent.
Q6. What did NYSEG and RG&E do to respond when the companies learned of the unauthorized access?
When our security team detected irregular activity in our system, we immediately disabled access to our system for the employee of the contractor. We have consulted with law enforcement and engaged computer forensics experts. Our investigation is ongoing and we will continue to provide law enforcement with our full assistance.
Q7. What are NYSEG and RG&E doing for customers who may have been affected by this situation?
Out of an abundance of caution, we are notifying all NYSEG and RG&E customers (by U.S. Mail, not e-mail) so they have the information and tools necessary to help detect any misuse of personal information. As a precautionary measure, we are also offering all NYSEG and RG&E customers the option of a year of credit monitoring at no charge.
Q8. Will NYSEG or RG&E be calling me to set up the credit monitoring service?
No. NYSEG and RG&E are contacting customers only by letter. We are not making calls to customers, nor have we asked anyone to make calls to customers on our behalf. Customers wishing to have a year of free credit monitoring should call Experian – this is the only company that is authorized to sign NYSEG and RG&E customers up to receive credit monitoring. Customers are advised to not provide personal information over the phone to other parties unless they are absolutely sure they know the caller.
Q9. What actions do NYSEG and RG&E suggest customers take who may have been affected by this situation?
NYSEG and RG&E customers should monitor their accounts closely to ensure that there are no signs of inappropriate or unauthorized use. They should also take advantage of the credit monitoring service that we are offering at no charge.
Q10. If a customer pays their NYSEG or RG&E bill electronically, do they need to re-submit financial information?
No. They only need to provide account numbers if they have changed account numbers at their financial institution.
Q11. What are NYSEG and RG&E doing to disclose this situation to potentially-affected and other interested parties?
We have notified law enforcement and all required agencies and have provided notice to all of our customers via a letter, our website and the media.
Q12. Do RG&E and NYSEG suggest that a customer create a new password to access their account on-line or complete electronic payments?
No. Customers do not need to update their login or password.
Q13. What actions are NYSEG and RG&E taking to ensure this does not happen again?
We take our responsibility to protect customer data very seriously. We routinely review our systems to ensure the confidentiality of our customer data.
Q14. Is the integrity of the electricity grid or natural gas system compromised because of this unauthorized access?
No.
Q15. Is the credit monitoring service also being offered to businesses?
A. Yes.
Out of an abundance of caution, NYSEG and RG&E are offering credit monitoring service to business customers as well as residential customers. All business customers were already sent a letter from Experian – the activation code provided in the letter may or may not work, depending on the following circumstances:
Those businesses that use the proprietor’s Social Security number for tax identification purposes can use the authorization code on the letter they receive to enroll in credit monitoring through Experian.
Those businesses that do not use a Social Security number for tax identification purposes can enroll in a separate credit monitoring service by contacting Experian (1.877.736.4495). Experian will provide a new, special authorization code that will enable those businesses to enroll online at www.smartbusinessreports.com/ProtectMyBusiness.
Please note, business customers may only enroll via the web.
Log out
