A record $2.7 million fine has been levied against an electric utility for vulnerabilities in its IT infrastructure. The exposed information includes system names and locations, user names, and cryptographic information that could be used to decrypt passwords. The utility’s name was redacted from the public version of the NERC notification, though the filing did include standard language from consent decrees to the effect of, “we didn’t do it the first time and we promise not to do it again” In this case, there is no allegation that a breach actually occurred because of the vulnerability.”]