Duke Energy responds to customer data breach

Several St. Petersburg residents have recently taken to social media wondering if others received an email with “important information regarding your Duke Energy account,” and subsequently debated its legitimacy.

The utility has confirmed the letters are not scams and that a hack exposed customers’ personal and account information in May.

A letter dated Dec. 12 states an unauthorized third-party may have acquired information, like names, birthdates and the last four digits of social security numbers. Through a series of emails, Audrey Stasko, lead communications manager for Duke Energy Corporate, explained the seven-month delay in notifying customers.

“While these types of events are not uncommon, they do require comprehensive investigations, often in partnership with local and federal law enforcement, such as the FBI, cybersecurity specialists and other agencies that are experts with extensive experience in this area,” Stasko told the Catalyst.

“We conducted a thorough investigation to ensure a complete understanding of the activity, take actions to mitigate the incident and implement measures to help protect our customers and our systems.”

St. Petersburg-based Duke Energy Florida serves two million customers statewide. Over 500,000 Pinellas County homes and businesses rely on the utility. For many, it is their only option.

The hack exposed account numbers, mailing addresses, meter serial numbers, email addresses, phone numbers and federal tax IDs stored on Duke’s website. However, Stasko said it could have been worse.

“While the investigation revealed website functions may have returned some customer and utility account information to the unauthorized party, there is no indication that passwords, financial data or entry to online profiles through ‘My Account’ or through our ‘Business Experience’ portals were exposed,” she wrote.

Audrey Stasko, lead communications manager for Duke Energy, during a June 2023 tour of the utility’s command center in St. Petersburg. Photo by Mark Parker.

The email states the data breach occurred from May 20 through May 24. A social media user with a purported background in information technology (IT) said the letter was a scam due to Florida’s customer notification deadlines.

However, State Statute 501.171 allows organizations to determine the breach’s scope, complete criminal investigations and identify victims before issuing notifications. In addition, Florida law only requires individual alerts if the hack will likely result in identity theft or financial harm.

“There is no indication that credit cards, debit cards or bank account numbers were accessible from our public website, and therefore were not compromised,” reads the letter.

Another social media user said they called Duke and read the email to an IT technician, who thought it was a phishing scam used to garner personal information. Several commenters agreed with that assessment and urged recipients not to click on embedded links.

“This issue did not affect all Duke Energy Customers,” Stasko said. “We’re communicating directly with potentially affected customers by email and USPS.

“Duke Energy takes the security of its customers’ information seriously, and we employed prompt actions to help further protect customer accounts.”

According to the letter, those actions included implementing additional encryption, monitoring and control measures. The company also “promptly notified” law enforcement.

Duke wrote that it is not immune to hacks, like any other company. “We are alerting you to this issue so you can take steps to help protect your information.”

The letter encourages customers to stay alert for phishing attempts through emails and text messages with links, attachments or requests for personal information. Duke offered recipients  access to to credit monitoring agency Experian’s IdentityWorks and Identy Restoration programs for a year.

Instructions to access the complimentary services caused some customers to believe the notification itself was a scam. The letter provides links to Experian’s platforms and an access code that expires March 21, 2025 – a year after the data breach.

The letter instructs recipients to contact Experian for additional information. It does not suggest calling Duke.

“As always, if a customer believes there was fraudulent use of their information, we encourage them to contact a credit reporting agency for more information,” Stasko said.