Toronto police and Ontario's privacy commissioner have both been called in after someone hacked into 179,000 electronic Toronto Hydro bills this month.
The e-bills are sent monthly and include basic customer information such as an account number, home address and name. They do not include banking or prepayment information, which Toronto Hydro Corp. chief executive officer and president David O'Brien said was not compromised.
"That system is completely different from this one, and it's separated by firewalls and other security," he said.
As such, Ontario information and privacy commissioner Ann Cavoukian doesn't consider the e-billing information itself a serious privacy breach, but believes it could allow those in possession of it to contact customers by phone or e-mail to try to draw out further details about banking information. An investigation by her office and the Toronto police has begun.
Both the commissioner and Toronto Hydro are warning customers to not give out that kind of information, and report any suspicious calls to the company. Toronto Hydro has sent letters to all its customers explaining the breach.
"This is the very first time we've had an incident like this," Mr. O'Brien said in an interview. "We will find out how it happened. We will. Our systems are very secure, so this is a bit of a head-scratcher."
It was Toronto Hydro that first noticed the security breach, but Mr. O'Brien declined to say when, saying it was integral in the police investigation. Privacy commissioner Ann Cavoukian said she was called in Friday.
Ms. Cavoukian will meet Wednesday with hydro officials, and said the risk in this case is that whomever hacked the documents could call or e-mail the affected Toronto Hydro clients, posing as the power company and asking for further details.
"Just tell your readers Toronto Hydro would never e-mail or call you asking for personal information," she said. "The message is: as in all other cases, one has to be careful."
It's unclear who caused the breach, or whether they're in Toronto.
Customers who have questions are encouraged to call Toronto Hydro's care line (416-542-8000). As the first letters to customers arrived Tuesday, the company got about 50 phone calls, Mr. O'Brien said.
Ms. Cavoukian said that only this month's bills were compromised - not past billing information. Ms. Cavoukian said that if indeed no personal financial information was compromised, as Toronto Hydro says, an investigation could be complete in two weeks.
"Toronto Hydro has responded very quickly," she said. "And we'll get to the bottom of it."