Security Incident Notification: Issue with Public Dashboards Found and Resolved

Thursday, October 24, 2019

Yesterday afternoon, EnergyCAP, Inc. (ECI) confirmed a security vulnerability with the public dashboards feature of EnergyCAP Version 7. The vulnerability could allow users of public dashboards to gain greater access to EnergyCAP data than they should have received.

In response to the finding, EnergyCAP temporarily suspended the public dashboard functionality for all hosted databases. The Version 7 software has been updated on all hosted databases to resolve this issue, and public dashboard functionality has been restored. The specific details of the finding and the security response are included in the official security incident report attached to this notice.

For hosted clients: This is a notification only. No additional action is required by your organization at this time.

For clients with on-premises EnergyCAP databases: If you are actively using a release of EnergyCAP Version 7 prior to 7.5.7, we recommend that your organization takes one of the following actions as soon as possible:

• Upgrade to the latest version of EnergyCAP Version 7—Please contact EnergyCAP Support to download the latest EnergyCAP Version 7 installation package which addresses this issue.
• Remove all public dashboard links from your existing EnergyCAP database—This can be performed by downloading a SQL script and running it on your EnergyCAP database. The script will need to be run by a database administrator. The script will provide a list of existing public dashboards (if any exist) and will remove the public sharing setting on each dashboard. NOTE: The dashboards will not be deleted. They will lose their existing public access.

Our Client Services team is prepared to handle any questions that clients may have. Please direct information security questions to:

Adam Hegedus
Chief Security Officer
EnergyCAP, Inc.

Email: adam.hegedus@energycap.com

Read full Security Incident Report here.