Eversource has become the latest company to deal with a cyberattack as banks, hospitals and businesses across Connecticut and the nation continue to struggle with data breaches.

An Eversource spokesperson said Thursday that about 1,400 customers in Connecticut enrolled in a solar incentive program managed by an external vendor called CLEAResult may have had personal information exposed, including Social Security numbers, and that Eversource will steer them to free identity protection services and credit monitoring services for any affected customers that want them.

Another 1,800 accounts in an electric vehicle incentive program were also exposed, with Social Security numbers not involved in those instances.

It is the same data breach that affected thousands of customers of M & T Bank, one of the state's largest lenders. Meanwhile, federal investigators are continuing to probe a cyberattack affecting hospitals in Waterbury, Manchester and Rockville, shutting down computer systems.

"We take seriously the security of our customers' information, and we continue to review the security controls of all contractors while taking appropriate protective security measures for Eversource systems to protect customers," Eversource spokesperson Tricia Taskey Modifica, said in an email. "It is common for scammers to target customers following incidents like this, and we encourage our customers to remain vigilant by reviewing their account information and statements while being wary of scam activities and communications."

The data breach affecting M & T and Eversource involved the file transfer software MOVEit, which is produced by Massachusetts-based Progress Software. The breach occurred on a third-party platform that uses MOVEit's file transfer software, and M&T internal systems were not compromised, according to the statement released by the bank. It is the same data breach that affected the Eversource customers.

Experts are advising consumers to take advantage of any free credit monitoring services being offered, against the possibility that individual personal information is posted for sale on "dark web" sites for criminals to exploit.

At least 1,100 companies globally have reported being impacted by a vulnerability in the MOVEit data-transfer software sold by Progress Software, potentially affecting more than 60 million customers. Security experts fear the data will end up on the "dark web" and used as a springboard to identity theft, ransomware attacks, and other crimes.

While data breaches are old hat by now — Forever 21, Tesla and Stamford-based Lovesac are among several companies to have reported among incidents in the past few weeks — the scale of the MOVEit intrusion is concerning to many in the U.S. information security industry.

"MOVEit was a very big problem for many — where it gets a little bit tricky is that maybe your business is not using MOVEit, but somebody that you do business with is using it," said Jeff Brown, chief information security officer for the state of Connecticut. "We've had instances in the state where you have a fourth party that got breached, and you don't realize that it's connected to your third party until it blows up a little bit."

Orange-based Avangrid confirmed to CT Insider on Thursday that utility subsidiaries United Illuminating, Southern Connecticut Gas and Connecticut Natural Gas use CLEAResult as well in transferring customer data for energy efficiency and EV incentive programs. A spokesperson emailed CT Insider that Avangrid expects a report by the end of September on any exposure, and plans to "work proactively to immediately notify any impacted customers" if that is the case.

Brown said he is aware of only one isolated report of a potential MOVEit vulnerability for Connecticut state agencies, saying it was swiftly quarantined with no known consequences to the public. The Connecticut Department of Revenue Services are among the state agencies that use MOVEit for data file transfers.

Brown said the sheer scale of MOVEit exposure is worrisome not just for current victims, but as a possible larger trend.

"This is pervasive, and a lot of attacks now are going for that pervasive [impact]," Brown said. "Lots of people use MOVEit — if they break into that, they break into not just one company but many companies."

A few other known breach victims with Connecticut connections include Fidelity Investments; Prudential; TD Bank Ameritrade and Charles Schwab; Wilton Re, a reinsurance company with its headquarters in Norwalk; Genworth, a life insurer with a large office in Stamford; and TIAA which has offices in Stamford, Hamden and West Hartford.

CLEAResult, which lists its headquarters in Austin, Texas, informed the office of Connecticut Attorney General William Tong on Aug. 23 of the MOVEit vulnerability, along with AG offices in several other states. A sample customer letter furnished to Tong's office includes a letter template offering two years of free credit monitoring and the option to freeze accounts.

"Upon receiving notice of the MOVEit Incident, CLEAResult immediately took steps to secure its MOVEit application," CLEAResult's external law firm wrote in letters to Tong's office and counterparts in other states. "The investigation revealed that an unauthorized actor transferred copies of certain files from the CLEAResult MOVEit system on or about May 30, 2023. The investigation into the scope of the impact and the information affected is ongoing."

Under Connecticut's data privacy law, companies are required to notify any people affected by a data breach with no "unreasonable" delay and no more than 60 days after discovering any incident. Companies must notify the Connecticut Attorney General's office as well.

"CLEAResult takes this incident and the security of information in our care seriously," stated Divakar Jandhyala, chief product and technology officer for CLEAResult, in the customer letter template on file with the Connecticut AG and counterparts. "Please accept our sincere apologies and know that we deeply regret any concern or inconvenience that this may cause you."

Includes prior reporting by Paul Schott and Luther Turmelle.