For any organization that thinks weak cybersecurity practices don’t have significant consequences, here’s a wake-up call: An unnamed power company faces a $2.7M penalty due to improper cybersecurity oversight.

According to an electronic filing by The North American Electric Reliability Corporation (NERC), the power company in question left more than 30,000 records exposed without password protection. Not only that, the filing states that the data was exposed online for 70 days.

Among the exposed data were records associated with critical assets, such as “servers that store user data, systems that control access within the [utility company’s] control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical cyber assets information.”

Gizmodo reports that the exposed data included usernames and information that could decrypt those usernames and passwords. Quoting from the filing, Gizmodo writes, “’Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords,’ adding: ‘A malicious attacker could use this information to breach the secure infrastructure and access the internal [critical cyber assets] by jumping from host to host within the network.’”

Read more at Gizmodo.