Skip to content
Data breachContained

London Hydro data breach exposes customer account information

Attackers used a customer account to exploit a system vulnerability at Canadian utility London Hydro, potentially accessing the names, contact details and account information of other customers.

Victim
London Hydro

On 20 June 2026, London Hydro β€” the electricity distribution utility serving roughly 170,000 residential, institutional, commercial and industrial customers in London, Ontario β€” disclosed a data breach that may have exposed personal and account information belonging to some of its customers. The company said it had first noticed suspicious activity on a customer account on 18 June 2026 and immediately began investigating.

According to the utility, the compromised account was used to exploit a vulnerability in its systems, which in turn allowed access to certain information about other customers. London Hydro said it is proactively reaching out to impacted customers and is working with local law enforcement, though it has not disclosed how many people were affected.

What was exposed

The information that may have been accessed includes customer contact details β€” names, addresses, email addresses and phone numbers β€” as well as account data such as account and billing numbers, service addresses, pricing plans, contract start dates, and meter numbers and types.

London Hydro stressed that the incident did not involve dates of birth, government-issued identification numbers, payment card details, banking information or other sensitive financial data.

Why it matters

The breach highlights how a single compromised customer-facing account, combined with an unpatched application flaw, can be leveraged to reach data belonging to a much wider population of users. For a critical-infrastructure operator such as an electricity distributor, even a breach limited to billing and contact information carries elevated stakes: the exposed details are exactly the kind of data that fuels convincing follow-on phishing and social-engineering campaigns against utility customers. Several outlets noted that key facts β€” including the number of customers affected and whether data was exfiltrated β€” remained unclear in the days after disclosure.

Timeline

  1. London Hydro detects suspicious activity on a customer account and launches an investigation.

  2. The utility publicly discloses the data breach and begins notifying potentially affected customers.

Sources

  1. securityweek.comhttps://www.securityweek.com/canadian-electricity-provider-london-hydro-discloses-data-breach/
  2. cbc.cahttps://www.cbc.ca/news/canada/london/london-hydro-investigating-data-breach-affecting-some-customer-accounts-9.7243545
  3. theregister.comhttps://www.theregister.com/security/2026/06/22/canadian-utility-fesses-up-to-data-breach-but-key-details-remain-off-grid/5259309
  4. londonhydro.comhttps://www.londonhydro.com/data

Related incidents

Data breachOngoing

Leak at ENI

In December 2025, the French operations of Italian energy group ENI suffered a data breach claimed by the Lapsus$ group, exposing professional contact details for tens of thousands of business customers; ENI confirmed the incident and notified the CNIL.

Victim
ENI
Data breachUnknown

Leak at EDF DPIH

On 28 February 2025, a threat actor claimed to have stolen a database from EDF's hydraulic generation division (DPIH), exposing power-plant intervention and maintenance plans, security inspection results and maintenance staff IDs; EDF and researchers disputed the actor's nuclear claims.

Victim
EDF DPIH