More than 1,000 Maine residents who applied for jobs at Central Maine Power using the company’s website may have had their personal information stolen by an Internet hacker during a recent security breach.

The company and its applicants are the latest victims of a growing form of cybercrime that facilitates widespread identity theft.

Additional Photos

Central Maine Power Co. workers check out a transformer along Route 26 in Gray in March 2010. The company said as many as 5,100 job applicants who used their website may have had their personal information stolen by a hacker. Portland Press Herald file photo by John Patriquin

Approximately 5,100 people, some of whom filled out an online application more than six years ago, are at risk, according to John Carroll, a spokesman for the company.

Central Maine Power and two other companies that provide power to New York are owned by parent corporation Iberdrola USA; those who used Iberdrola’s recruitment site to apply to any of the four entities since January 2007 could have been affected by the online security breach, the company said in a statement released Tuesday.

Carroll said there is no ongoing threat from the breach, which the company confirmed had occurred last week.

“We’ve taken the site down,” he said. “We are reviewing all the safety and security protocols. We are not putting it up until we are confident that it is safe and secure.”

The application site is a standalone system that is separate from the power company’s customer data, which were not affected by the breach.

Those who visited the company’s career page in hopes of applying this week got a message saying the site is temporarily unavailable “while we complete some system upgrades.”

Carroll said that the security breach is under parallel investigations from the power company and from the FBI.

Those whose information has been compromised will be notified directly by Central Maine Power, Carroll said.

“We take our responsibility to protect employment candidates’ personal information very seriously,” he said.

For those who may have been affected, the company is offering a year of credit monitoring to help them detect any fraud or identity theft that could result from the access to their personal information.

Identity theft is a growing concern among law enforcement, with the U.S. Bureau of Justice Statistics showing that 8.6 million households had members who were victims of the crime in 2010, the most recent year on record. The number was up significantly from the 6.4 million households victimized in 2005.

The Federal Trade Commission estimates 8.3 million American consumers were victimized in 2005. Victims spent more than 200 million hours in that year attempting to recover from the crime, the commission estimated.

Part of the problem is that hacking, unlike most crimes, can be perpetrated against thousands of victims by a single individual with little effort.

In April 2012, Austrian police arrested a 15-year-old boy, who confessed to hacking into 259 different companies during a three-month period using information he had learned from an Internet forum on hacking.

Several widely reported hacking cases have involved huge numbers of potential victims, as was the case in 2008, when a job application website for insurer Aetna was hacked, affecting 450,000 people. Also in 2008, there was a breach in the transaction system operated by the Hannaford Bros. supermarket chain that potentially exposed 4.2 million customers to fraud.

In 2012, major online security breaches were reported at Blizzard Entertainment, a gaming company; a U.S. payment processor for Mastercard and Visa; South Carolina Credit Reporting; search engine Yahoo; Nissan Motor Co.; and website host GoDaddy.com, among others.

Carroll did not release details of the ongoing internal investigation, but he did say a computer forensics team had been hired to help.

Matt Hongoltz-Hetling — 861-9287
mhhetling@centralmaine.com

Related Stories