Bright House Networks, the sixth largest owner and operator of cable systems in the U.S., has sent a letter to customers warning that they may have been exposed after servers used to process Video on Demand (VOD) were breached.
The letter, dated September 2011, says that Bright House recently became aware that the servers processing VOD orders were breached.
[Full Disclosure: The letter from Bright House was addressed to me. I am a Bright House customer here in Indianapolis, with VoIP, Cable, and Internet services. -Steve]
“Recently, we were made aware that an unauthorized source gained access to our servers and, as a result, historical customer data back to June 22, 2011 was exposed,” the letter states.
“There has been no indication that such customer VOD data was actually access or retrieved or improperly used. However, we do want you to be aware that the possibility exists that suggest that some limited VOD data was exposed to an unauthorized source.”
The notice to customers is light on details surrounding the breach itself. Likewise, no information regarding the security incident was immediately available on brighthouse.com. What is known is that customer names, addresses, phone numbers, and Bright House Network account numbers were exposed. Sensitive data, including credit card details, passwords, or SSNs, were not exposed.
“As soon as we discovered this incident, immediate steps were taken to secure the system and to prevent this kind of incident from happening again. Moreover, in response to incidents like this one and the increasing number of Internet-enabled attacks on companies in general, we regularly review our security practices and modify our systems to safeguard your information,” the letter concluded, adding an apology for any concern the incident may cause.
The letter also noted that customers should watch their accounts and report suspicious or unauthorized activities to the company. We’ve reached out to Bright House for more information. It is unknown if this breach impacts customers outside of Indianapolis. If it does, then customers in California, Alabama, Florida, as well as Michigan, should also expect letters.
A customer support representative, who was not fully informed of the security incident, commented that he was told the breach was narrowed down to Indianapolis customers only, but could not confirm this. What he was told was that Bright House was unsure if the attackers walked off with the data available on the server, and they were not sure how long the attackers had access to the system.
We’ll update with more information as we get it.