Texas utility firm investigating potential leak of customer data tied to 2023 MOVEit breach

A large Texas energy company confirmed it is investigating reports of stolen customer data that has been published on a cybercriminal forum after it was allegedly taken during a 2023 breach.

CenterPoint Energy told Recorded Future News that it is aware of reports that customer data has been leaked after researchers uncovered a cybercriminal forum post with the information. 

“Based on our investigation, we believe this data was obtained from a third-party vendor’s system,” a spokesperson for CenterPoint Energy said. “We have no reason to believe that our network was compromised in connection with this issue.”

The company said it is still assessing the impact of the data exposure but did not answer further questions about the breach. 

For months, a hacker going by the moniker “nam3l3ess” has been combing through data previously stolen by a ransomware gang through a popular file sharing tool called MOVEit. The tool was exploited through a vulnerability in 2023, allowing hackers to steal troves of information from hundreds of government agencies and large companies. 

In December, nam3l3ess claimed to have acquired a database of information stolen from CenterPoint Energy. Researchers at DataBreach.com went through the data and found three million names and addresses. The company created a way for victims to look through the data set for their own information. 

Researchers said the data likely originated from CLEAResult, an energy efficiency consulting firm managing programs for CenterPoint Energy, which utilized the MOVEit software.

Cybersecurity firm Emsisoft estimates that 2,773 organizations were impacted by the 2023 attacks on MOVEit, and the records of nearly 96 million people were exposed and stolen by the group behind the exploitation. 

Progress Software, the company behind MOVEit, has faced more than 100 lawsuits due to the breaches. 

Late last year, nam3l3ess reignited concern about the breaches when they posted tranches of data apparently stolen through the vulnerability. Some of the companies listed were previously announced as MOVEit victims, but others were not. All of the data is from May 2023, when the initial string of MOVEit breaches began.  

nam3l3ss has made several dark web posts claiming they are not a hacker and simply download data posted to ransomware sites held on unsecured storage platforms. The person claimed they are not selling the data and are releasing it in anger towards prominent companies that do not protect user information. 

Cybersecurity expert Zack Ganot, the product owner of DataBreach.com, said the MOVEit breach is a “perfect example of the cascading effect of supply chain vulnerabilities.” 

“The story of CLEAResult and CenterPoint Energy is just one of thousands of companies affected by this mega-breach — many of which remain unidentified,” he said. “In numerous cases, the customers of these companies have yet to be notified, even though these breaches occurred over a year ago.”