City finally discloses last week’s privacy bug (UPDATED)

Yesterday Seattle City Light and Seattle Public Utilities finally disclosed last week’s privacy leak.


The utilities posted up on their web sites a new FAQ, including the following statements:

Was my information visible to others?

Our initial analysis indicates that bills for certain of the City’s utility customers may have been visible to other City Light/Seattle Public Utilities customers. Information on bills is limited to: customer name, address, account number, balance and usage. Social security numbers, bank accounts, or credit or debit card information were not visible. If your information was accessed by another City utility customer, the City will notify you by mail in the coming days.

Have you fixed this issue?

We have identified the cause of both issues — errors in code affecting electronic bill processing — and have taken corrective actions to resolve them.

Is the system safe to use?

Yes. Payment information was not exposed during this event. Payment information is secured by a separate system that was not affected by this situation.

Also yesterday, Michael Mattmiller, CTO for the City of Seattle and Director of Seattle IT, sent this email to City Council members:

Shortly after launch of our new customer information system, a small number of customers may inadvertently have been able to view another customer’s account online for a limited period of time. The project team brought our third-party eBilling system down immediately when this was discovered, and brought it back online once resolved.

On Tuesday, Sept. 13, Seattle IT was informed that a similar issue was suspected and the project team, again, took down eBilling system as a precaution. Working with the project team, we helped identify the cause of both issues — errors in code affecting electronic bill processing — and have validated corrective actions taken with these events. The coding issue was only related to how eBills were made available for viewing, not how the bills are generated or calculated. No social security number, bank account, credit card, or debit card information was involved.

The eBilling system has been brought back online and we have started uploading batches of electronic bills again. When we catch up early next week, we will resume our regular nightly eBill batch runs. The following FAQs will be posted shortly to address any follow up questions by for the public.

Seattle IT is still validating our assessment of both of the issues and is attempting to confirm which customers were affected. We will notify the affected customers by mail in the coming days, in accordance with the City’s privacy policy.

Please do not hesitate to reach out to me with additional questions you might have on this topic.

UPDATE  9/23/16 4:15PM:  Council member Lisa Herbold made the following statement this afternoon:

“Michael Mattmiller did notify and send the Q&A to our office late yesterday. I was surprised to learn that the eBilling system had been down for eight (8) days. I’ve been told that similarly to the previous issue, no social security numbers, bank account, credit card, or debit card information was involved. I am disappointed that it has taken the City more than a week to release this information. I will continue to look into this issue and ask for a quicker release of information particularly as it relates to customers and their personal information.”