CMP says thousands of job applicants' information possibly stolen by hackers

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.onlinesentinel.com/news/CMP-says-thousands-of-job-applicants-information-possibly-stolen-by-hackers.html

More than 1,000 Maine residents who applied for jobs at Central Maine
Power using the company's website may have had their personal
information stolen by an Internet hacker during a recent security
breach.

The company and its applicants are the latest victims of a growing
form of cybercrime that facilitates widespread identity theft.

Approximately 5,100 people, some of whom filled out an online
application more than six years ago, are at risk, according to John
Carroll, a spokesman for the company.

Central Maine Power and two other companies that provide power to New
York are owned by parent corporation Iberdrola USA; those who used
Iberdrola's recruitment site to apply to any of the four entities
since January 2007 could have been affected by the online security
breach, the company said in a statement released Tuesday.

Carroll said there is no ongoing threat from the breach, which the
company confirmed had occurred last week.

"We've taken the site down," he said. "We are reviewing all the safety
and security protocols. We are not putting it up until we are
confident that it is safe and secure."

The application site is a standalone system that is separate from the
power company's customer data, which were not affected by the breach.

Those who visited the company's career page in hopes of applying this
week got a message saying the site is temporarily unavailable "while
we complete some system upgrades."

Carroll said that the security breach is under parallel investigations
from the power company and from the FBI.

Those whose information has been compromised will be notified directly
by Central Maine Power, Carroll said.

"We take our responsibility to protect employment candidates' personal
information very seriously," he said.

For those who may have been affected, the company is offering a year
of credit monitoring to help them detect any fraud or identity theft
that could result from the access to their personal information.

Identity theft is a growing concern among law enforcement, with the
U.S. Bureau of Justice Statistics showing that 8.6 million households
had members who were victims of the crime in 2010, the most recent
year on record. The number was up significantly from the 6.4 million
households victimized in 2005.

The Federal Trade Commission estimates 8.3 million American consumers
were victimized in 2005. Victims spent more than 200 million hours in
that year attempting to recover from the crime, the commission
estimated.

Part of the problem is that hacking, unlike most crimes, can be
perpetrated against thousands of victims by a single individual with
little effort.

In April 2012, Austrian police arrested a 15-year-old boy, who
confessed to hacking into 259 different companies during a three-month
period using information he had learned from an Internet forum on
hacking.

Several widely reported hacking cases have involved huge numbers of
potential victims, as was the case in 2008, when a job application
website for insurer Aetna was hacked, affecting 450,000 people. Also
in 2008, there was a breach in the transaction system operated by the
Hannaford Bros. supermarket chain that potentially exposed 4.2 million
customers to fraud.

In 2012, major online security breaches were reported at Blizzard
Entertainment, a gaming company; a U.S. payment processor for
Mastercard and Visa; South Carolina Credit Reporting; search engine
Yahoo; Nissan Motor Co.; and website host GoDaddy.com, among others.

Carroll did not release details of the ongoing internal investigation,
but he did say a computer forensics team had been hired to help.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.