Cyber Incident Victim: Kankakee Valley Rural Electric Membership Corporation
Date:
Jan 2016
Location:
United States of America
Summary
Kankakee Valley REMC experienced a cybersecurity breach involving unauthorized access to a network storage device via a foreign IP address, discovered during a routine audit. The compromised device contained personal information—including names, addresses, phone numbers, and account identifiers—for approximately 17,700 members, though no financial data or Social Security numbers were accessed. While investigators could not confirm whether data was exfiltrated, the cooperative treated the incident as a potential compromise, promptly isolating the breached pathway and notifying affected individuals via mailed letters with guidance to safeguard their identities through state resources.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-January 2016, Kankakee Valley REMC identified a potential cybersecurity breach during a routine audit of its systems. The audit revealed unauthorized access by a foreign Internet Protocol address to a storage device on the cooperative's network. This device contained information for all 17,700 members of the electric cooperative, including names, addresses, phone numbers, REMC location numbers, member numbers, and account numbers. Notably, the compromised data did not include financial information or Social Security numbers. Upon discovery, the cooperative immediately severed the unauthorized access pathway to contain the breach. The intrusion's exact timeline and the attacker's identity remained undetermined at the time of disclosure.
Kankakee Valley REMC CEO Dennis Weiss publicly acknowledged the breach on February 16, 2016, stating investigators could not confirm whether member data had been copied or exfiltrated. Despite this uncertainty, the cooperative treated the incident as a confirmed data compromise to maximize member protection. As a precautionary measure, the organization mailed breach notification letters to all affected members, advising them to utilize identity protection resources through the Indiana Attorney General's office. The cooperative did not report service disruptions or operational impacts beyond the data security incident. No ransomware demands or explicit motives for the breach were disclosed in initial reports, and the cooperative did not specify whether law enforcement agencies were investigating the intrusion.