Duke Energy says 374,000 customers may have had their personal information exposed.
The utility says it was notified of the possible breach by a vendor called TIO Networks. The company is owned by PayPal, and handles Duke Energy's walk-in payment processing centers in six states.
In North Carolina, the vast majority of the potential breach applies to customers of the subsidiary Duke Energy Carolinas, which covers Charlotte, the Triad and parts of the Triangle.
Duke Energy Spokeswoman Meredith Archie says it only affects customers who used a check or cash to pay at the walk-in processing centers.
"Anywhere that a customer pays their utility payment in person," Archie said. "This could be a grocery store. It could be a mom-and-pop store; anywhere that has these Global Express payment centers in their stores."
The utility has temporarily suspended that payment method, Archie said.
Customers may have had their names, addresses, and Duke Energy account numbers exposed, as well as banking information if they used a check. TIO Networks is sending letters to those customers.
