Anyone who paid a power bill at one of Duke Energy’s walk-in payment sites needs to check the mail to find out if personal information has been given out without permission.
Duke Energy said Tuesday that a computer data breach potentially affects those who paid bills at one of the company’s 550 authorized walk-in payment centers between 2008 and 2017. Nearly 375,000 customers in the Carolinas may be affected.
The compromised information may include names, addresses, Duke Energy account numbers and balances, and banking information if customers paid by check.
“We regret the frustration and inconvenience this issue has created for our customers who rely on our authorized walk-in locations to pay their monthly energy bills,” Lesley Quick, Duke Energy’s vice president of revenue services said in a statement on the utility’s website.
The walk-in payment sites included grocery stores, convenience stores and other businesses that accept payments for other companies.
People affected will get a letter from TIO Networks, the company that owns the network used to process the Duke Energy walk-in payments. The letter will include detailed questions and answers, and a phone number to call for additional information.
TIO Networks said it is offering 12 months of free credit monitoring to anyone affected and 24 months of free credit monitoring to anyone whose Social Security number was shared without authorization.
TIO Networks suspended the bill-payment service Nov. 10 as part of the company’s investigation of security vulnerabilities. Duke Energy received payments through a subsidiary of TIO Networks called Global Express.
Keith King, who operates Kingz Downtown Market on North Liberty Street, said he has had to tell people, “Don’t shoot the messenger,” since Nov. 10, when the computer system used for Duke Energy bill payments was shut down.
King’s customers could use the Global Express service for free, but the alternative, Western Union, charges $3.25 for the bill payments, he said.
“I’ve had some to get really angry,” King said. “They are shell-shocked that they have to pay $3.25 when they are so used to doing it for free. I have to go through the whole scenario and explain to them that Global Express has been down since Nov. 10.”
The breach affects only customers at walk-in sites who paid by check or cash; it does not affect people who paid with a bank card or some other kind of payment method.
In addition to using Western Union, people can pay power bills by check, credit or debit cards online or at 800-777-9898.
King said most of his customers using the walk-in service pay cash.
He said about 50 or 60 people a month would come in to pay their power bill.
Some places charged $1.50 or $2 for the service, King said, but he didn’t. He doesn’t have that option with the Western Union service.
King said some people facing a disconnection deadline lost power recently because Western Union payments don’t process immediately like the Global Express ones did. Those people could have avoided being disconnected by calling Duke Energy but didn’t do that, he said.
TIO Networks was acquired by PayPal Holdings in July, but the company said that TIO Networks is a separate system from PayPal and that PayPal customer accounts are not affected.
PayPal said its investigation showed evidence of unauthorized access to customers’ information.