NOTICE DATE: April 17, 2020
NOTICE TYPE: M-D041720-01 Financial/Credit
SHORT DESCRIPTION: Data Disclosure Incident
INTENDED AUDIENCE: ERCOT Counter-Parties
DAYS AFFECTED: March 13 & 16, 2020
LONG DESCRIPTION: On April 15, 2020, one of ERCOT’s financial institutions, JPMorgan Chase Bank, N.A. (JPMorgan) notified ERCOT that JPMorgan experienced an internal data code issue, which resulted in the inclusion of bank account and financial transaction data belonging to ERCOT Counter-Parties in balance and transaction reports that were downloaded by 19 JPMorgan clients/customers on March 16 and 17, 2020. The balance and transaction reports downloaded by JPMorgan’s clients/customers contained data for Business Days March 13 and 16, 2020. JPMorgan informed ERCOT that it identified the issue on March 21, 2020 and immediately implemented a code fix to prevent further recurrence. JPMorgan has assured ERCOT that this event was not the result of a cyber incident; it was an internal data code issue. ERCOT’s understanding is that the following types of information were included in the balance and transaction reports: bank account names; bank account numbers; and transaction information (e.g., dollar amounts, wire remark information, and bank reference numbers).
ERCOT Protocol Section 18.104.22.168(1)(z) identifies “non-public financial information provided by a Counter-Party to ERCOT pursuant to meeting its credit qualification requirements as well as the QSE’s form of credit support” as Protected Information. ERCOT considers some of the data contained in the reports downloaded by JPMorgan’s clients/customers to be Protected Information under ERCOT Protocol Section 22.214.171.124(1)(z)—i.e., Qualified Scheduling Entity (QSE) and Congestion Revenue Right (CRR) Account Holder (CRRAH) bank account numbers and other information identifiable to a QSE’s form of credit support (i.e., payments identified as collateral postings to satisfy credit qualification requirements).
ERCOT is working with JPMorgan to ensure that all steps are being taken to mitigate any risk associated with this issue. ERCOT is also in the process of identifying the Counter-Parties that were impacted by JPMorgan’s disclosure, and will be providing those Counter-Parties with information regarding the specific types of Protected Information that was disclosed. ERCOT’s preliminary determination is that the Protected Information disclosed by JPMorgan is primarily limited to QSE and CRRAH bank account numbers; very few instances of other information identifiable to a QSE’s form of credit support have been identified.
ERCOT will continue to provide Counter-Parties with updates concerning this incident.
CONTACT: If you have any questions, please contact your ERCOT Account Manager. You may also call the general ERCOT Client Services phone number at (512) 248-3900 or contact ERCOT Client Services via email at [log in to unmask].
If you are receiving email from a public ERCOT distribution list that you no longer wish to receive, please follow this link in order to unsubscribe from this list: http://lists.ercot.com.
To unsubscribe from the NOTICE_CREDIT list, click the following link: