Cyber Incident Victim: Upper Peninsula Power Company

On June 23, 2022, Upper Peninsula Power Company (UPPCO) detected a potential data security incident involving unauthorized access to its computer network. The company immediately secured its systems and engaged a third-party cybersecurity firm to investigate the breach. The investigation confirmed that an intruder had accessed certain files containing confidential customer information. UPPCO conducted a review of the compromised files, determining that the exposed data included affected individuals' first and last names combined with Social Security numbers. The breach timeline indicates unauthorized access occurred prior to the June 23 detection date, though the exact duration of system access remains unspecified in public filings. UPPCO completed its forensic review and impact assessment approximately five months after initial detection.

On November 23, 2022, UPPCO formally reported the breach to the Maine Attorney General's office, disclosing that 39,400 consumers had their sensitive personal information compromised. The company notified all affected individuals via mailed data breach letters on the same date, advising them about potential identity theft and fraud risks stemming from the exposure of Social Security numbers. As a regional energy provider serving 54,000 customers across Michigan's Upper Peninsula, the breach impacted nearly 73% of UPPCO's customer base. The incident did not disrupt electrical service operations, with no reported impacts on power generation facilities or grid reliability. UPPCO's public disclosure through regulatory filings contained no details about the intrusion method, attacker identity, or whether data was exfiltrated versus merely accessed. The company's response focused on containment through network security measures and consumer notification, without disclosing specific remediation steps taken for affected individuals beyond breach advisories.