Human error in Central Maine Power’s information technology department last year led to the online release of names, addresses and former account numbers of 77,300 customers who were found to be ineligible for low-income bill-paying assistance.
The information was discovered during a Google search in May by a customer who alerted CMP, which took immediate steps to shut down access to the data and establish new security measures.
CMP’s data network wasn’t hacked or breached from outside, the company stressed, and no other personal data, such as social security numbers or financial information, was visible.
“It was an inadvertent security lapse, but was very limited in scope,” Felicia Brown, chief security officer for Avangrid, CMP’s parent company, told the Press Herald on Wednesday. “There was not a breach of CMP’s system.”
Because company lawyers and management considered the incident to be minor, CMP concluded there was no need to notify the Maine Public Utilities Commission. But following repeated queries over the past two weeks from the Portland Press Herald, the company on Tuesday phoned and briefed the chairman of the PUC, the Office of Public Advocate and the office of Gov. Paul LePage.
The PUC didn’t immediately return a call seeking comment.
Barry Hobbins, the Public Advocate who is charged with protecting the interests of utility consumers, said Wednesday that his office currently is evaluating whether any rules or laws were violated in CMP’s decision not to alert the PUC.
Hobbins questioned whether management exercised good judgement, at a time when CMP is facing a storm of attacks for how it treats and bills customers, and whether it’s telling the truth about problems at the utility.
In an August interview with the Press Herald, the company’s new president and CEO, Doug Herling, acknowledged that the company needed to rebuild trust with customers and regulators. He said CMP was probably Maine’s most mistrusted company at the moment.
“With all these controversial issues on their plate,” Hobbins said, “to add another one. It just gives you pause.”
John Carroll, a spokesman for CMP and Avangrid, said he could understand that reaction. He acknowledged that, “people with different agendas will use it for their purposes.”
But cybersecurity is a daily challenge at company such as CMP, Carroll said.
“This is one more example,” he said. “It didn’t rise to the level (of reporting) at the time. Not everyone reports every near miss.”
CMP’s Electricity Lifeline Program, known as ELP, helps year-round, low-income customers pay their power bill. Residents who are eligible for the state-run home energy assistance, live in subsidized housing or use oxygen pumps or ventilators may qualify for ELP.
To determine eligibility, CMP works with regional low-income assistance agencies, which vet applicants. If they don’t qualify, CMP sends those customers a form letter to let them know. It was these form letters, dating back nine years or so, that were stored on a server when files were routinely moved by CMP’s IT department last October.
Those files can be seen by the assistance agencies but are password protected. During the moving process, someone forgot to re-establish security protocols, according to Brown. In May, a customer discovered her name, address and former account information during a Google search and called CMP. That’s how the problem came to light.
After determining the scope of the problem, CMP notified the customer and prevented further access to the information. It then created a new level of security to view the eligibility information, Brown said, and set up a monthly scans of search engines. It also is deleting old applications.
Despite pledges to be more transparent, CMP has been reluctant to publicly devulge this sequence of events.
The Press Herald first reached out to CMP on Sept. 24 to ask about any data breach or customer data being hacked. Gail Rice, CMP’s spokeswoman, replied by email on Sept. 26 that the utility is, “not aware of any incidents this year of CMP customer data being hacked.”
Later that day, the Press Herald made a follow-up query: “Has any confidential customer information been made public this year?”
Rice replied that that was a different question and would look into it.
On Sept. 27, Rice said she needed some more details for what appeared to be customer-specific information. On Oct. 1, the Press Herald asked if the breach was linked to the Lifeline program. Rice replied that she was checking.
On Oct. 2, Carroll reached out to the newspaper to say he could discuss the issue the next day, and created a conference call with Brown. Carroll said the company alerted the PUC and Hobbins the day before, so they wouldn’t be caught off guard by a news story.
This story will be updated.
Copy the Story LinkComments are not available on this story.
Send questions/comments to the editors.
