centerpointenergy.com Breach

In the closing days of May 2023, Houston-based utility giant CenterPoint Energy became an unwitting participant in the sprawling MOVEit supply-chain fiasco when the Cl0p ransomware gang exploited CVE-2023-34362 in the file-transfer servers run by CLEAResult, the energy-efficiency contractor that handles rebate and demand-response programs for CenterPoint customers. During the roughly 48-hour window before Progress Software disclosed the flaw, attackers copied a file set that ultimately proved to contain 3,024,752 customer records.  
  
The stolen database-published by the self-styled leak archivist “nam3l3ess” on a criminal forum in December 2024 and mirrored on DataBreach.com the following month-held full names and street addresses for every entry, along with 2.3 million phone numbers. CenterPoint has said it has “no reason to believe” Social Security or payment-card numbers were involved, yet breach analysts noted that the blend of name-address-phone triples is ideal for utility-bill phishing and account-takeover schemes, particularly because customers often reuse those exact details for multifactor authentication.  
  
CenterPoint’s first public acknowledgement came only after journalists asked the company to comment on the forum dump more than eighteen months after the files were taken. A spokesperson stressed that the utility’s own network remained untouched and blamed the exposure on “a third-party vendor’s system,” but declined to specify how many customers would receive direct notice or remedial services. Security researchers were quick to point out that the vendor in question, CLEAResult, had never appeared on the official victim tallies Progress Software circulated in mid-2023, underscoring how far the ripple effects of a single zero-day can extend before companies even realise they are caught in the blast radius.  
  
For now, CenterPoint faces no dedicated class action, yet lawyers tracking the consolidated MOVEit multidistrict litigation say the utility could still be added as discovery reveals new chains of custody for stolen files.