The Burlington Electric Department shut down its online payment system this week after a reddit user found that users’ passwords were stored on an internal database without adequate encryption.
In a release about the vulnerability, the department said there is no reason to believe the database was breached, and disconnecting the server was a precaution.
Greg Schoppe, a web developer for Burlington Bytes, said he was concerned after he used the “forgot password” function on Burlington Electric’s online payment site.
He said that “rather than receiving a link to reset my password, as I expected, I found an email in my inbox, containing my personal password.”
That response raised some concerns for Schoppe.
“This is extremely bad,” he posted publicly on reddit after raising the issue with Burlington Electric by phone. The fact that the system simply emails the password, he wrote, “means that a single hacked server, or a single annoyed DB [database] admin would gain an attacker passwords for every renter and homeowner in Burlington.”
Three days later, Burlington Electric General Manager Neale Lunderville publicly announced that the system had been taken offline.
“The passwords were stored in a way that was not encrypted,” Lunderville said in an interview. “We deemed that not acceptable and we tried to work on a few solutions to solve the problem quickly, but we couldn’t find one, so we decided to take the system offline and shut it down.”
Lunderville said the software in question is called SunGard, and about 100 utilities elsewhere in the country have the same issue.
After an update from SunGard, Lunderville said, Burlington Electric will undergo a security audit to ensure their systems protect customer information.
Schoppe said in an email that he thinks Burlington Electric did the right thing, and noted that it can be difficult for companies to know how secure systems really are.
“These sort of systems are contracted out to third parties that claim to offer experience and security,” he said. “Unfortunately, without regular outside security audits, it is hard for a utility like BED to know whether those claims are justified.”
