"may have impacted a portion of personal information on some accounts," London Hydro said in a brief statement — a short acknowledgment that raises as many questions as it answers for more than 160,000 electricity customers the utility serves in and around London, Ontario.
London Hydro confirms a customer-data incident
London Hydro on Saturday disclosed it is investigating a data security incident and has begun notifying affected customers. The utility said the incident "may have impacted a portion of personal information on some accounts," and its public statement focused exclusively on customer-facing records. The company has not disclosed what system was compromised, how the incident occurred, whether data was exfiltrated versus merely accessed, or how many customers were affected.
Specific customer fields the utility says may have been exposed
According to London Hydro, the potentially exposed information includes names, addresses, email addresses, phone numbers, account and billing numbers, service addresses, pricing plans, contract start dates, and meter information. Those categories, the utility said, are the scope of what it believes may have been impacted and forms the basis of the notifications it is distributing to customers.
What London Hydro says was not involved
The company drew a clear line around several sensitive categories. London Hydro said the incident did not involve banking information, payment card details, dates of birth, government-issued identification numbers, or "other sensitive financial data." The statement therefore frames this as a customer data incident rather than one involving direct financial credentials — at least according to the utility's published account.
Why the exposed fields matter to fraudsters
Even without banking or ID numbers, the combination of names, addresses, account and billing numbers, meter information and contract details can increase the plausibility of fraudulent contact. The Register noted this exact risk: those fields are sufficient to make a fake utility bill, a payment demand, or a social‑engineering customer-service call look considerably more believable. That kind of information can be used to impersonate the utility, to request payment changes, or to craft targeted phishing and extortion attempts aimed at customers who will assume the communication is legitimate.
What customers and security teams are being asked to do
London Hydro is warning customers to watch for suspicious communications, unexpected bills, unfamiliar account activity, or requests to change payment arrangements. The company also reminded customers that it "does not ask for banking details by email, phone, or SMS." For security teams at utilities and organisations that handle similar customer records, the incident underscores the value of rapid, precise communications about which data elements are at risk and clear guidance on what the company will and will not request from customers.
The Register sought additional detail — asking when the intrusion was discovered, whether information was exfiltrated, how many customers were affected, whether ransomware or extortion was involved, whether any third-party systems were implicated, and whether operational or grid-related systems were touched during the incident. At the time of writing, London Hydro had not responded to those questions.
London Hydro's public statement draws a distinct boundary around the customer information that may have been exposed while stopping short of any technical or forensic detail. The confirmed inclusions and exclusions give customers concrete signs to watch for and specific reassurances about the types of sensitive financial and identity data the utility says were not involved. Where the attackers went and what else they may have touched, however, remains unclear.
