Hacker Shocks Electric Company

Who ever hacked into Ozarks Electric Cooperative Corp.’s automated outage reporting system on Dec. 29 and switched the greeting to a derogatory message could soon face jail time. AT&T’s toll free division and Ozarks Electric are scrutinizing the company’s phone records in an effort to track down the guilty party.

Paul Bridges, a clerk at the Washington County Prosecutor’s office, said computer trespassing that causes more than $2,500 worth of damage is a Class D felony and brings a sentence of zero to six years in prison. A first offense computer trespass that causes no damage is a Class A misdemeanor and comes with 30 days in jail. Exponential fines and jail time apply as the victim’s damages increase.

Ozarks Electric CEO Mitchell Johnson did not put a price on the damage his company sustained, but said that it did include the time and resources expended to find the hacker.

Johnson said the company knows the greeting was changed at 9:09 p.m. He plans to compare the time with AT&T’s list of incoming calls and their places of origin. Although the call list could provide a good lead, Bridges said actually finding the perpetrator may be difficult.

“If it’s a malicious hacker, they’re probably using a ‘freak box’ that allows them to steal the line from the telephone company to begin with,” Bridges said. “If it’s just a kid, they’ll probably find them quick but if it’s someone who knows what they’re doing then they’ll be pretty hard to find.

“Good hackers can cover their tracks and bounce signals all over the place.”

Ozarks Electric’s usual automated greeting allows customers to report power outages and request assistance. The message was changed to say all of Ozarks Electric’s employees had gone home and suggested that customers “call someone who cares.”

The truth is the company had 20 people in the office handling phone calls and dozens others out in the field working to restore power to more 1,500 customers who were left without power. An ice storm earlier in the week had knocked out a number of area power lines.

But the problem was exacerbated about the same time Ozarks Electric’s greeting was changed. A large tree limb fell in Fayetteville and severed a transmission line that linked four substations. More than 17,000 people were suddenly without power, but company communications manager Penny Storms said the crisis fortunately only lasted 45 minutes.

“We were able to recover pretty quickly and issue an apology to our customers,” Storms said.

Johnson said that the company’s wide area network has a firewall, but that the automated reporting system relied on two simple security measures. The hacker only had to dial up the phone extension containing the greeting and then break a several-digit pass code.

“We definitely learned something,” Johnson said. “I would tell other business owners out there that no matter how good you feel your security is, double check it and change any passwords on a periodic basis. Make sure you’ve got Fort Knox-type security.”

Ozarks Electric is beefing its computer security up as a result of the incident. Johnson said new measures will likely include a two-tiered password system that’s already in the works by automated answering system vendor DataVoice International Inc. of Dallas.