National Grid is the latest company to report a serious data breach due to a flawed computer program from Burlington-based Progress Software.
On Wednesday, the utility company issued a warning to customers that their names, account numbers, contact details, and utility usage had been exposed in a data breach.
A “cyber incident” involving a file transfer service exposed the personal information, but “there is no indication that National Grid accounts have been compromised, or that customer financial data or account passwords were exposed,” according to the email notice.
The incident was brought to the utility’s attention by CLEAResult, a third-party vendor that helps National Grid to operate statewide energy efficiency programs in Massachusetts, according to the company.
National Grid spokesman Robert Kievra said that CLEAResult uses MOVEit, a Progress Software program used by companies and government agencies worldwide to transfer large amounts of data between servers.
In late May, Progress said that it had found a serious security flaw in its software. That flaw had been exploited by “Clop,” a cybercriminal gang believed to be based in Russia. Hundreds of companies have since reported that cybercriminals had gained access to customer data through the MOVEit flaw. It’s unclear how long ago the National Grid data was stolen or how many users were affected.
“We want all of our customers to know that securing and safeguarding your personal information is one of our most important responsibilities and one that we take very seriously,” the company said.
National Grid encouraged customers to monitor their online accounts for suspicious activity and to regularly update online passwords. CLEAResult is investigating the data leak, the company said.
In an email sent to the Globe on Friday, a Progress spokesperson said, “we worked quickly to provide initial mitigation strategies, deployed a patch on May 31 that fixed the issue and communicated directly with our customers so they could take action to harden their environments.”
National Grid isn’t the only local utility to suffer a significant security breach. In 2021, Eversource reported that it had stored sensitive customer data, including Social Security numbers, on an unsecured server connected to the internet. But the company said there was no indication that anyone had stolen the data.