Sat, Apr 25, 2020 09:07 PM

M-A042420-01 Cybersecurity Incident

Resending to include additional recipients


NOTICE DATE: April 24, 2020

NOTICE TYPE: M-A042420-01 General         

SHORT DESCRIPTION: Cybersecurity Incident

INTENDED AUDIENCE: All Market Participants

DAYS AFFECTED: April 16 - 24, 2020

LONG DESCRIPTION: On April 23, 2020, ERCOT was informed by a Market Participant (disclosing MP) that its registration information (i.e., contact information and bank account information) with ERCOT may have been compromised. ERCOT and the disclosing MP immediately began investigating the concern.

ERCOT has determined a Cybersecurity Incident originated with a compromised Microsoft Office 365 (Office 365) account belonging to the disclosing MP. The attacker used the compromised Office365 account by assuming the email address belonging to the disclosing MP’s Authorized Representative (AR), and creating new email accounts using domain typo-squatting (i.e., the attacker created new email addresses that were similar to officers/employees of the disclosing MP). While the disclosing MP is located in the United States, the attacker leveraged several foreign IP addresses from Germany and Ghana.

On April 20, 2020, ERCOT received and processed a Notice of Change of Information (NCI) from what appeared to be the disclosing MP’s AR (using the AR’s email address on file with ERCOT). The NCI modified the MP’s banking information. For Business Days, April 21 – 23, 2020, wires from ERCOT to the disclosing MP were sent to the revised bank account identified in the NCI. In coordination with federal authorities, ERCOT has been able to recover a majority of the wires that had been sent to the fraudulent bank account. ERCOT is continuing to work closely with federal authorities concerning the remaining funds, and the impacted Market Participant to ensure the proper and safe communication of information and transfer of funds. At this time, ERCOT has found no evidence to suggest that this incident is related to the JPMorgan data disclosure described in Market Notice M-D041720-01.

The ERCOT Protocols define a Cybersecurity Incident as “a malicious or suspicious act that compromises or disrupts a computer network or system that could foreseeably jeopardize the reliability or integrity of the ERCOT System or ERCOT’s ability to perform the functions of an independent organization under [PURA].” Although ERCOT’s ability to perform certain registration functions were impacted, ERCOT has determined that no ERCOT computer network or system was compromised as a result of this Cybersecurity Incident. Based upon preliminary findings, the only computer or network compromised was a single Office 365 email account belonging to the disclosing MP. ERCOT processed the NCI in accordance with its business practices and processes set forth in the ERCOT Protocols, and has implemented additional levels of controls for bank information, and is further evaluating additional controls to help ERCOT verify changes made to MP registration information. ERCOT plans to engage stakeholders in further discussion regarding such controls at future stakeholder meetings.

The disclosing MP had not enabled a two-factor authentication (2FA), also known as two-step verification, or multi-factor authentication (MFA), on its Office365 account. ERCOT believes that 2FA or MFA would have prevented this incident, and therefore highly encourages all MPs to protect systems and devices from hackers and malware by employing 2FA or MFA. This measure will create an extra layer of security to help ensure that only authorized individuals can access an MP’s email account. Pre-registering domains similar to the actual domains utilized by MPs may also reduce the chance of typo-squatting. ERCOT utilizes a Domain-Based Message Authentication (DMARC) practice to reject emails that do not pass a verification test. Enabling a DMARC practice can help MPs control who can send emails on behalf of the MP, and thereby prevent nefarious parties from utilizing a MP’s domain. See Market Notice M-A031419-01, ERCOT Implementation of a DMARC “Reject” Policy.

CONTACT: If you have any questions, please contact your ERCOT Account Manager. You may also call the general ERCOT Client Services phone number at (512) 248-3900 or contact ERCOT Client Services via email at

If you are receiving email from a public ERCOT distribution list that you no longer wish to receive, please follow this link in order to unsubscribe from this list: