The hack of the Murfreesboro Water Resources Department website recently was limited in scope to one script page, or the homepage, a city spokesman said.
The homepage of the water department was hacked on Saturday, Aug. 3. A graphic was uploaded showing the Iranian flag and the Guy Fawkes mask, which is often associated with the Anonymous hacker-activist movement. The graphic had words that included, “We are always closer to you. Your identity is known to us. Your information is for us. Take care.”
The purported signature was by “Mamad Warning.”
According to to zone-h.org, a website that archives screenshots of websites that hackers defaced, a hacker using the name Mamad Warning was credited with 1,069 “mass defacements” as of last Wednesday, including the MWRD page.
Mike Browning, public information director for Murfreesboro, said the hack affected only the utility homepage. No customer data was compromised. The MWRD server has no credit card information stored on it. The website was restored the night of Sunday, Aug. 4, and the city made changes to the webpage.
“They weren’t able to get beyond that particular area,” Browning said.
In light of the website defacement, the Post asked two other local utility companies about their cybersecurity.
Adam Elrod, communications coordinator for Middle Tennessee Electric Membership Corp., was asked two questions by email.
Q: What steps can the utility share that it takes to protect client accounts and its portion of the electric grid?
A: Middle Tennessee Electric takes the security of our members’ data and the electrical grid seriously. We utilize both experienced on-staff professionals and external resources to stay current on the latest scams and cyber schemes. Education of our employees regarding phishing attacks and education of our members related to scam emails and phone calls play important roles in the overarching effort.
Scammers sometimes call or email our members directly in an attempt to steal money or personal information from them. The most common scam tactic is to tell members that they must make an immediate payment using prepaid credit cards to prevent electrical disconnection. Members who receive this type of suspicious call should hang up immediately and contact us directly if they are concerned about their account status. The same advice applies to suspicious emails, too.
Q: What are seen as the greatest cyberthreats MTEMC faces (hacking client data, power grid mischief, etc.)?
A: Common threats our members and employees face are phishing and fraud scams in their email inbox. In recent months, MTEMC members have reported instances of suspicious emails and phone calls asking for personal account information, the offer of discounts on their electric bill, or demanding immediate payment to prevent their electricity from being cut off. Members should delete those emails and hang up on those phone calls. Our internal cybersecurity specialists also educate our employees to identify malicious emails and various cyber threats.
Consolidated Utility District communications officer Brett McCardle was interviewed. The utility’s network “secures customer information behind defenses that monitor outside access and internal data,” he said in a statement. “The system never sleeps, and all non-U.S. traffic is blocked.”
Mike Sumner, CUD’s director of information technology said, “In the digital world, a firewall keeps us separated from the bad guys. We have total control of it, and we open specific ports needed for data access, then close them. We receive alerts all day, every day from the firewall. It’s 24/7/365 monitoring. As we receive alerts, we follow through with necessary protective steps. In addition, our website data lives in a secure architecture design. This allows us to keep public data and private data separate from each other.”
CUD said that to protect customers’ financial data, it contracts with a Payment Card Industry-compliant vendor to collect online payments and safeguard customer information.
William Dunnill, general manager of CUD, said, “Last year, we heard some complaints about having to charge a fee for online bill payments. However, that third party provides a level of security that protects our customers around the clock. In accordance with state law, CUD is PCI compliant, and we’re maintaining that standard of data security.”