The Florida Reliability Coordinating Council (FRCC), a Tampa-based nonprofit responsible for coordinating the reliability and security of Florida's bulk power electric system, has disclosed a data breach involving the unauthorized copying of files from its computer systems. The intrusion exposed names and Social Security numbers, with 831 Texas residents and one New Hampshire resident confirmed affected, though the full nationwide total has not been disclosed.

What Happened

On April 1, 2026, FRCC detected suspicious activity on its computer network. The organization immediately moved to verify the integrity of its environment, restore systems from backup, and launch a forensic investigation to determine the scope of the incident. Investigators concluded that an unauthorized actor had copied files from FRCC systems during a three-day window between March 30, 2026 and April 1, 2026. The breach was publicly disclosed on May 15, 2026, roughly six weeks after the initial detection.

What Was Taken

The exfiltrated files contained personal information including:

FRCC has not disclosed the total nationwide victim count. Regulatory filings to date confirm 831 affected Texas residents and one New Hampshire resident, but the actual exposure is almost certainly larger given that state-by-state attorney general notifications typically reflect only a fraction of an incident's overall footprint. No financial account numbers, medical data, or operational technology data have been confirmed exposed at this time.

Why It Matters

FRCC is one of the NERC Regional Entities that historically oversaw reliability standards for Florida's bulk electric system. While the disclosed data is administrative (employee or contractor PII rather than grid telemetry), any intrusion touching an entity in the energy reliability ecosystem warrants attention. Threat actors targeting reliability coordinators, ISOs, and RTOs frequently seek footholds that can be pivoted toward more sensitive operational environments or used for social engineering against utility personnel. The three-day dwell window before detection is also notable: it suggests the actor moved quickly to stage and exfiltrate data, consistent with opportunistic ransomware-adjacent extortion crews rather than long-term espionage operators.

The Attack Technique

FRCC has not publicly attributed the incident to a named threat actor and has not disclosed the initial access vector. The disclosure language, specifically the references to "securely recovering systems from backups" and confirmed file copying within a tight window, is consistent with data-theft extortion tradecraft commonly seen from groups exploiting edge appliances, stolen credentials, or unpatched remote access infrastructure. No ransomware leak site posting has been publicly tied to FRCC as of publication, leaving open the possibility of a quiet ransom payment, an ongoing negotiation, or a non-ransomware intrusion focused purely on data theft.

What Organizations Should Do

Energy sector entities and nonprofits handling workforce PII should treat this incident as a prompt to validate the following controls:

  1. Audit external attack surface. Inventory all internet-exposed services (VPNs, file transfer appliances, RMM tools) and confirm they are patched against known exploited vulnerabilities.
  2. Enforce phishing-resistant MFA on all remote access, administrative consoles, and email, particularly for accounts with access to HR or payroll file shares where SSN data tends to live.
  3. Deploy egress monitoring and DLP capable of flagging large outbound transfers to cloud storage providers, paste sites, and uncategorized infrastructure within hours, not days.
  4. Segment HR and finance file repositories from general user shares and require just-in-time access with logging, reducing the blast radius of any single compromised account.
  5. Exercise backup and recovery procedures under a realistic ransomware scenario, including validation that restored systems are clean of attacker persistence before being returned to production.
  6. Pre-stage breach notification workflows including state AG reporting, IDX or comparable monitoring vendor relationships, and legal counsel, so disclosure can occur within statutory windows without operational scramble.

Affected individuals have until August 13, 2026 to enroll in the 12 months of complimentary credit monitoring and identity restoration services FRCC is offering through IDX. A dedicated assistance line is available at 1-833-788-9712.

Sources: FRCC Data Breach: Social Security Numbers Exposed