London Hydro distributes electricity to more than 160,000 customers in and around London, Ontario. On June 20 the utility quietly posted notice of a data security incident. It may have exposed names, addresses, email addresses, phone numbers, account and billing numbers, service addresses, pricing plans, contract start dates, and meter information for some accounts. Banking details, payment cards, dates of birth and government ID numbers stayed out of reach. That much the company made clear.
But the statement stopped there. No count of affected customers. No date of discovery beyond a later revelation. No explanation of the entry point. No confirmation whether data left the network. And no word on whether attackers brushed against the operational systems that keep power flowing. The silence stands out. Especially for a utility entrusted with infrastructure that millions rely on daily.
The company updated its notice on its website that same day. It told customers it was working with authorities and had begun contacting those impacted. “London Hydro and the appropriate authorities are currently investigating a data security incident which may have impacted a portion of personal information on some accounts,” the notice read. It listed the data categories in plain terms. Then it stressed what was not touched.
Customers received emails. They were told to watch for unexpected bills, unfamiliar account activity, or requests to alter payment methods. London Hydro reminded them it never asks for banking information by email, phone or text. Report anything suspicious to [email protected], the notice said. Simple steps. Yet they underscore the real risk here: the exposed details make convincing phishing or impersonation attacks far easier.
One executive’s account added new facts but left the bigger picture murky.
CBC News reported CEO Ysni Semsedini said the company became aware of suspicious activity on June 18. An account was used to exploit a system vulnerability. That allowed access to certain information about other customers. The issue was fixed the same day. Additional steps were taken. Service delivery faced no interruption. “We have determined that the account was used to exploit a system vulnerability, which allowed access to certain information about other customers,” Semsedini stated. “No banking information… will not impact service delivery.”
The Register had pressed for answers on timing, exfiltration, customer numbers, ransomware or extortion, third-party involvement, and any contact with grid systems. London Hydro did not respond by the time of that report. The gap persists. And it matters.
Utilities sit at the intersection of customer data and physical operations. A breach confined to billing systems still carries weight. Attackers could craft personalized scams that reference real meter numbers or contract dates. They could build trust fast. But the unknown element looms larger. Did intruders probe further? Could similar weaknesses exist in control networks? The company draws a boundary around customer records. It offers no evidence that boundary held everywhere.
This incident arrives against a tense backdrop. Canada’s critical infrastructure faces relentless pressure. The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2025-2026 flags ransomware as the top cybercrime threat to such entities. Actors refine extortion tactics. They escalate pressure on victims. Disruptions to power, water or transport carry immediate human costs. London Hydro’s case may not involve ransomware. The company has not said. Yet the pattern of limited disclosure echoes broader challenges.
Earlier incidents illustrate the point. Nova Scotia Power, another Canadian utility, faced a disruptive cyberattack in April 2025. Its parent Emera confirmed unauthorized access to IT systems and networks. Customer data questions lingered then too. SecurityWeek covered the response and the uncertainty over compromised information. Those events keep utilities in the spotlight.
Costs add urgency. IBM’s Cost of a Data Breach Report placed the average Canadian breach at CA$6.98 million in the latest data, up more than 10 percent year over year. Organizations using security AI and automation extensively saw lower figures. Those that did not paid more. The numbers reflect forensics, notification, legal exposure and lost trust. For a municipal utility like London Hydro, even a contained breach strains resources.
Legislation may soon change the calculus. Bill C-8, if passed, would impose stricter cybersecurity rules on operators of vital systems in energy and other sectors. The Critical Cyber Systems Protection Act would require programs to guard critical systems, report incidents quickly, and manage third-party risks. Penalties could reach CA$15 million per violation per day. McCarthy Tetrault analyzed the bill’s potential reach. It would affect designated operators and ripple to suppliers.
Yet rules alone won’t close disclosure gaps. London Hydro’s notice meets basic notification obligations. It informs affected parties. It avoids panic by clarifying what stayed safe. But industry insiders expect more when the target controls power distribution. How was the vulnerable account accessed? Was it an internal credential, a vendor link, or something else? Was data copied or simply viewed? These questions affect risk calculations for every similar organization.
And. The absence of answers fuels speculation. Some wonder if operational technology stayed untouched because of strong segmentation. Others suspect the company simply lacks full visibility even now. Without independent verification or regulatory filings that add detail, the public and partners operate in partial light.
Recent coverage adds little new. CTV News and CBC reported the notification and CEO comments. They repeated the data categories and the no-financial-impact assurance. No outlet has surfaced evidence of larger compromise or regulatory action yet. The story remains contained. For now.
Customers can take basic precautions. Monitor accounts. Ignore unsolicited requests for information. Use official channels for payments. But the burden should not rest entirely on them. Utilities owe transparency proportional to their role in society. Power is not optional. The data that supports its delivery deserves equal care.
London Hydro says it will share more when able. That moment cannot come soon enough. The sector watches. Regulators watch. And attackers certainly watch. Partial answers may satisfy legal minimums. They fall short of the clarity needed to rebuild confidence and strengthen defenses across Canada’s energy grid.


WebProNews is an iEntry Publication