Largest US Propane Distributor Discloses ‘8-second’ Data Breach

America’s largest propane provider, AmeriGas, has disclosed a data breach that lasted ephemerally but impacted 123 employees and one resident.

AmeriGas servers over 2 million customers in all 50 U.S. states and has over 2,500 distribution locations.

This month’s data breach was reported by the propane giant to the Office of the New Hampshire Attorney General.

Data breach lasted ‘8 seconds’, impacted 123 employees

This month, AmeriGas has issued a data breach notification letter to the New Hampshire Attorney General’s Office.

The data breach, however, originated at J. J. Keller, a vendor responsible for providing Department of Transportation (DOT) compliance services to AmeriGas.

These services include helping AmeriGas with conducting driving record checks, drug and alcohol testing for drivers, and other DOT-imposed regulatory checks. 

On May 10th, J. J. Keller detected suspicious activity on their systems associated with a company email account.

As such, the vendor promptly began investigating their network to discover that a J. J. Keller employee had fallen victim to a phishing email, leading to a compromise of their account.

During this brief access window threat actor(s) could view certain files present within the employee’s compromised account.

After resetting the employee’s account credentials, J. J. Keller promptly began their forensic activities to determine the full scope of this breach.

By May 21st, J. J. Keller notified AmeriGas that this eight-second breach exposed records of 123 AmeriGas employees present in the files viewable to the attacker.

“According to J.J. Keller, during the 8-second breach, the bad actor had access to an internal email with spreadsheet attachments containing 123 AmeriGas employees’ information, including Lab IDs, social security numbers, driver’s license numbers, and dates of birth.”

“To date, we are unaware of any actual or attempted misuse of this personal data as a result of this incident,” disclosed AmeriGas in a sample data breach notification letter dated June 4th, 2021.

Also Read: The DNC Singapore: Looking at 2 Sides Better

Also exposed in the breach, was the information of just one New Hampshire resident, who has since been notified of the incident and been provided with free credit monitoring services.

At this time, there is no indication that any employee information was copied or misused.

Second security incident concerning AmeriGas this year

This incident marks the second data breach incident concerning AmeriGas this year.

In March 2021, AmeriGas had disclosed an attempted data breach, in which a company customer service agent was fired for potentially misusing customer credit card information.

According to AmeriGas, some customers phoning AmeriGas customer service had verbally disclosed their credit card information to this representative who may have misused this information to make unauthorized purchases. 

At the time the company had said:

“We recently detected that there were unauthorized disclosures of credit card information to one of our customer service agents.”

“We do not know whether your credit card information was shared but are writing in an abundance of caution. “

“We investigated the issue as a precaution to further secure your information.”

“The agent involved has been terminated and we have already implemented additional safeguards,” the company had disclosed at the time.

Also Read: 4 Best Practices on How to Use SkillsFuture Credit

Cyber-attacks and incidents against critical energy companies are continuing to grow, prompting the need for stepping up security controls and awareness training across organizations.