Exclusive: Identity Breaches in the Energy Sector Continue to Rise, With 1.5 Million Records Impacted Since 2018

Energy sector cyber breaches and leakages, especially those intended to access identity information, have increased precipitously in recent years, an analysis provided exclusively to Morning Consult by Constella Intelligence found. 

Since January 2018, there have been 4,245 breaches and leakages revealing corporate credentials of the top 20 energy companies on the Fortune Global 500 list, with roughly a third of those occurring in 2020 alone. There have been 976 breaches and leakages so far in 2021, and the sector is on track to meet or surpass 2020 numbers. 

Overall, 1,504,564 records have been impacted since 2018.

These breaches -- defined as instances when confidential information is accessed by an external party without authorization -- do not generally result in major losses like the May cyberattack on the Colonial Pipeline, which managed to shut down one of the primary arteries of the East Coast’s fuel supply.

However, their accumulation represents the increased vulnerability of the energy industry -- and other sectors considered “critical” -- to hostile actors taking advantage of vulnerabilities in the cyber landscape. 

“The energy sector plays a key role in maintaining the continued functionality of critical infrastructure,” said Jonathan Nelson, digital intelligence specialist at Constella, who added that these exposures and breaches should be seen as “imminent” and “serious” given that the landscape is “constantly evolving.”

Constella is a digital risk protection company that collects breach data across 125 countries and 53 languages. The company’s recent economy-wide breach report illustrated that the recent jump in breaches is not distinct to the energy sector; other industries such as cryptocurrency, news, health care and telecommunications have also been increasingly targeted. 

The energy-specific data found that email and password credentials were the most exposed attributes, though banking or financial information has also been exposed in a small minority of cases. Two-thirds of breaches included personally identifiable information of some sort. 

Energy companies in the United States are by far the most at risk, representing roughly 31 percent of worldwide breaches and leakages between 2018 and 2021. India, at 4 percent, is second. 

Those in the energy sector’s highest echelons were particularly targeted. Constella analyzed a sample of 55 executives (including two to five per company, both chief executives and others at C-suite positions), and found that 25 have been exposed in a breach or leakage since 2018. Twenty-four of those affected had personally identifiable information of some sort exposed, and six had their passwords revealed. 

This increase in attacks over the past year roughly tracks with the increase in denial-of-service attacks that the energy sector saw last summer, in light of perceived vulnerabilities in the midst of the early months of the coronavirus pandemic.