Pennsylvania utility says MOVEit breach at vendor exposed some customer data

A Pennsylvania utility company says that basic customer data stolen from one of its vendors in 2023 was recently exposed online, but the incident did not affect its core systems.

PPL Electric Utilities said in an emailed statement that the vendor notified it in June 2023 of a breach through a widespread bug in the MOVEit file transfer software, which affected hundreds of organizations and exposed the data of tens of millions of people.

A PPL spokesperson confirmed that the stolen data was published online in December 2024. 

“The information did not extend beyond basic information such as name, address, phone number, email address and account number,” the spokesperson said. It did not include “banking or credit card information, social security numbers or account passwords,” because PPL did not share such information with the vendor.

“This issue is completely unrelated to PPL’s systems and critical infrastructure across all our service areas,” the company said.

The Allentown-based utility is owned by PPL Corporation, which this week reported operating revenues of $8.46 billion for 2024. It also runs utilities in Kentucky and Rhode Island.

At least one cybersecurity organization has linked the published PPL data to an individual using the moniker “nam3l3ess,” who has posted information from dozens of other entities affected by the MOVEit breach, including Delta Air Lines and Amazon. The initial breaches through MOVEit were attributed to the Clop ransomware group.

A Texas utility company, CenterPoint Energy, said in late January that it was investigating a similar leak at a vendor.