Toronto Hydro has sent a letter notifying each of its customers of a security breach that has put customer information in the hands of a third party.  Taken by itself, the information revealed is not sufficient to cause financial loss. However, there is a concern that it may be enough to leverage other, more sensitive, data in a social engineering* gambit.

Even if you don't understand how, please accept the following as fact: Information has value.  Criminal organizations are behind the majority of data breaches you read about in the news.  Unscrupulous people with some technical savvy are more than happy to accept money for breaching security systems.  Seemingly innocuous data from disparate sources can be merged to create a more complete profile of an individual or organization that may potentially be used to facilitate improper access to further information or, perhaps, funds.

If any good can be taken from this unfortunate event let it serve as a reminder to limit, to the greatest extent possible, the information you provide to anyone with whom you choose to do business.  Rogers does not need your drivers license number to provide phone service.  Bell does not need your social insurance number to sell you ExpressVu.  If these organizations don't have the information, they can't inadvertently disclose it.  The fact that there is a box on a form in no way obligates you to disclose information that is irrelevant to the transaction at hand.  Privacy laws aside, ultimately you are responsible for the security of your personal information.

*Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.