Full Report
A large Texas energy company confirmed it is investigating reports of stolen customer data that has been published on a cybercriminal forum after it was allegedly taken during a 2023 breach.
Analysis Summary
# Incident Report: CenterPoint Energy Data Exposure via Third-Party Vendor MOVEit Exploitation
## Executive Summary
CenterPoint Energy confirmed an investigation into customer data theft following reports of exposure on a cybercriminal forum, allegedly stemming from a 2023 incident involving a third-party vendor. The core compromise utilized the MOVEit file-sharing application vulnerability exploited in 2023, leading to the publication of approximately three million customer records, including names and addresses. CenterPoint stated its own network was not directly compromised, highlighting a significant supply chain risk originating from the vendor, CLEAResult.
## Incident Details
- Discovery Date: Sometime prior to December 2023/Refreshed in 2024 (when data was published/researched)
- Incident Date: Data likely compromised during the initial MOVEit exploitation wave starting May 2023
- Affected Organization: CenterPoint Energy (Data related to their customers)
- Sector: Energy/Utilities
- Geography: Texas (Implied by organization name)
## Timeline of Events
### Initial Access
- Date/Time: Initiated around May 2023 (General timeframe of MOVEit exploitation)
- Vector: Exploitation of a zero-day vulnerability in the Progress Software MOVEit file-sharing tool.
- Details: The vulnerability allowed attackers to steal data from organizations utilizing the software, with the data impact traced to CenterPoint Energy's vendor, CLEAResult.
### Lateral Movement
- **Not Applicable/Unknown:** The attack vector appears to be direct data theft from the compromised third-party vendor system (CLEAResult) via the MOVEit vulnerability, rather than traditional network lateral movement within CenterPoint's direct environment.
### Data Exfiltration/Impact
- Date/Time: Data surfaced on a cybercriminal forum in December 2023 (claimed) and analyzed in 2024.
- Details: Approximately three million customer names and addresses were exfiltrated from the vendor system.
### Detection & Response
- Date/Time: CenterPoint became aware following external research uncovering a forum post.
- Details: CenterPoint Energy initiated an internal investigation upon notification of the data listing. They publicly confirmed awareness but stated no direct compromise of their own network.
## Attack Methodology
- Initial Access: Exploitation of the MOVEit vulnerability (Supply Chain Attack).
- Persistence: Not detailed (The focus is on bulk data theft via the external application).
- Privilege Escalation: Not applicable to the direct file-sharing compromise but implied within the vendor environment.
- Defense Evasion: Not specified, but the vulnerability exploitation bypassed defenses at the vendor level.
- Credential Access: Not specified.
- Discovery: Not specified (The attacker leveraged the direct file access capability of the exploit).
- Lateral Movement: Not applicable to CenterPoint’s network; movement occurred within the vendor's compromised environment.
- Collection: Bulk data collection capabilities offered by the MOVEit vulnerability exploit.
- Exfiltration: Data posted for sale/release on a cybercriminal forum by user "nam3l3ess."
- Impact: Exposure of customer Personally Identifiable Information (PII).
## Impact Assessment
- Financial: Costs related to investigation, potential regulatory fines, and customer notification efforts (Not quantified).
- Data Breach: Approximately three million customer names and addresses.
- Operational: CenterPoint stated they had "no reason to believe that [their] network was compromised," suggesting no direct operational disruption.
- Reputational: Negative impact due to confirmed customer data exposure linked to a major utility provider.
## Indicators of Compromise
- **Network indicators:** Linked to the initial widespread MOVEit exploitation campaign (Specific IOCs not provided in the text).
- **File indicators:** Database file containing CenterPoint customer data posted by "nam3l3ess."
- **Behavioral indicators:** Bulk file retrieval activity observed on the MOVEit server infrastructure at the vendor level.
## Response Actions
- Containment: (Not detailed, likely focused on vendor access/contractual remediation, but not explicitly stated.) CenterPoint is investigating the scope of exposure.
- Eradication: (Not detailed.) Focused on remediation steps taken by the third-party vendor, CLEAResult.
- Recovery: CenterPoint created a portal allowing victims to check if their data was included in the leaked set.
## Lessons Learned
- **Supply Chain Risk is Critical:** The incident serves as a "perfect example of the cascading effect of supply chain vulnerabilities," where a primary contractor's security failure exposes downstream clients.
- **Delayed Notification:** Many organizations affected by the large-scale MOVEit breach (dating back to May 2023) have still not notified affected customers.
- **Vendor Oversight:** Reliance on third-party software (MOVEit) that is not adequately patched or secured exposed the client organization.
## Recommendations
- Mandate rigorous, evidence-based security audits for all third-party vendors handling sensitive customer data, specifically focusing on third-party application patching cadence.
- Review contracts to ensure vendors are held accountable for security incidents arising from their infrastructure exploitation.
- Maintain proactive monitoring for dark web listings related to organizational assets, especially following known mass-exploitation events like MOVEit.