April 16, 2013

CMP says thousands of job applicants' information possibly stolen by hackers

About 5,100 people, some of whom filled out an online application more than six years ago, are at risk, company says; customer data safe

By Matt Hongoltz-Hetling mhhetling@centralmaine.com
Staff Writer

More than 1,000 Maine residents who applied for jobs at Central Maine Power using the company's website may have had their personal information stolen by an Internet hacker during a recent security breach.

click image to enlarge

Central Maine Power Co. workers check out a transformer along Route 26 in Gray in March 2010. The company said as many as 5,100 job applicants who used their website may have had their personal information stolen by a hacker.

Portland Press Herald file photo by John Patriquin


The following could be signs of identity theft, according to the FBI

• Unauthorized charges on your accounts

• Being denied credit, despite good credit history

• Creditors attempt to recover charges you did not incur

• Credit card or bank statements do not arrive at your home when expected

• A new or renewed credit card fails to arrive

The company and its applicants are the latest victims of a growing form of cybercrime that facilitates widespread identity theft.

Approximately 5,100 people, some of whom filled out an online application more than six years ago, are at risk, according to John Carroll, a spokesman for the company.

Central Maine Power and two other companies that provide power to New York are owned by parent corporation Iberdrola USA; those who used Iberdrola's recruitment site to apply to any of the four entities since January 2007 could have been affected by the online security breach, the company said in a statement released Tuesday.

Carroll said there is no ongoing threat from the breach, which the company confirmed had occurred last week.

"We've taken the site down," he said. "We are reviewing all the safety and security protocols. We are not putting it up until we are confident that it is safe and secure."

The application site is a standalone system that is separate from the power company's customer data, which were not affected by the breach.

Those who visited the company's career page in hopes of applying this week got a message saying the site is temporarily unavailable "while we complete some system upgrades."

Carroll said that the security breach is under parallel investigations from the power company and from the FBI.

Those whose information has been compromised will be notified directly by Central Maine Power, Carroll said.

"We take our responsibility to protect employment candidates' personal information very seriously," he said.

For those who may have been affected, the company is offering a year of credit monitoring to help them detect any fraud or identity theft that could result from the access to their personal information.

Identity theft is a growing concern among law enforcement, with the U.S. Bureau of Justice Statistics showing that 8.6 million households had members who were victims of the crime in 2010, the most recent year on record. The number was up significantly from the 6.4 million households victimized in 2005.

The Federal Trade Commission estimates 8.3 million American consumers were victimized in 2005. Victims spent more than 200 million hours in that year attempting to recover from the crime, the commission estimated.

Part of the problem is that hacking, unlike most crimes, can be perpetrated against thousands of victims by a single individual with little effort.

In April 2012, Austrian police arrested a 15-year-old boy, who confessed to hacking into 259 different companies during a three-month period using information he had learned from an Internet forum on hacking.

Several widely reported hacking cases have involved huge numbers of potential victims, as was the case in 2008, when a job application website for insurer Aetna was hacked, affecting 450,000 people. Also in 2008, there was a breach in the transaction system operated by the Hannaford Bros. supermarket chain that potentially exposed 4.2 million customers to fraud.

In 2012, major online security breaches were reported at Blizzard Entertainment, a gaming company; a U.S. payment processor for Mastercard and Visa; South Carolina Credit Reporting; search engine Yahoo; Nissan Motor Co.; and website host GoDaddy.com, among others.

Carroll did not release details of the ongoing internal investigation, but he did say a computer forensics team had been hired to help.

Matt Hongoltz-Hetling — 861-9287

Were you interviewed for this story? If so, please fill out our accuracy form

Send question/comment to the editors

Further Discussion

Here at KJonline.com we value our readers and are committed to growing our community by encouraging you to add to the discussion. To ensure conscientious dialogue we have implemented a strict no-bullying policy. To participate, you must follow our Terms of Use.

Questions about the article? Add them below and we’ll try to answer them or do a follow-up post as soon as we can. Technical problems? Email them to us with an exact description of the problem. Make sure to include:
  • Type of computer or mobile device your are using
  • Exact operating system and browser you are viewing the site on (TIP: You can easily determine your operating system here.)