All those people shopping Stethoscope.com at Christmas got a nasty surprise, and a stethoscope.
After the website was hacked over a two-month period, 122 Maine customers were alerted last January that their financial details may have been exposed.
They were just some of the 151,000 Mainers who received word in 2013 that their Social Security numbers, credit cards and other private details were unexpectedly outed.
Massive files kept in the Maine Attorney General’s Office — where companies are bound by state law to report even the smallest consumer breach — show definite trends: secretly installed data-collecting malware, rogue employees, missent mail, stolen company laptops.
The bulk of the breaches last year were at Target, whose lawyer sent a one-page letter saying 115,000 of the millions of pilfered transactions last fall had taken place in Maine.
“This whole Target thing, which was then Neiman Marcus and Michael’s, it feels like this winter it just went right off the chain and now it’s getting a lot of attention,” said Assistant Attorney General Linda Conti, head of the office’s Consumer Protection Division. “I was one of them (caught by the Target breach). Almost all my friends were.”
Five state agencies collect breach notices, with the AG’s Office receiving the lion’s share (nearly 250 last year). The Maine Bureau of Financial Institutions counted four, the Maine Offices of Securities three, the Maine Bureau of Consumer Credit Protection 13 and the Maine Bureau of Insurance five.
The state’s first job, Conti said, is to make sure consumers aren’t left holding the bag on any errant charges, and by and large they haven’t been.
“Usually consumers don’t have a problem because the banks and the credit card companies take care of all the problems on the back end,” she said. “Then, the second thing you look at it is whether or not the company that had the breach should be held accountable in some way, like for failing to meet the right standards to keep consumer data confidential, and those usually end up being big investigations of the big companies, like the Targets.”
The state has several ongoing breach-related investigations, but nothing it can talk about yet, according to Conti.
It may be limited to a hassle for most consumers, but there’s definitely a cost.
John Murphy, president of the Maine Credit Union League, estimated the state’s credit unions re-issued 20,000 credit and debit cards this winter in response to the Target breach.
It costs about $5 to re-issue one card.
“That’s a pretty significant expense,” Murphy said. “Unfortunately, people think the retailer picks up the cost of that.”
Instead, credit unions and members absorbed that $100,000.
Chris Pinkham, president of the Maine Bankers Association, said his group hadn’t done a card and cost survey, though, “I do know we’ve had many, many banks reissuing cards.”
Among the data breaches reported to the state in 2013:
* The Maine Historical Society found a file on its server in October 2013 that appeared to date back to October 2009 and allowed the viewing of files like credit cards; 622 people in multiple states were affected.
* Dead River discovered malware in its system that appeared to expose customer payment and credit application information over two days in March; 965 Maine residents were affected.
President Robert Moore’s letter to customers last spring: “First, we’re sorry.”
* An independent contractor was allegedly caught on a security camera stealing computer software with 56,000 Social Security numbers at Primedia, a collection of real estate-finding websites, last spring; 24 Maine residents were affected.
* An outside vendor doing a mailing for Schneider Electric included employees’ Social Security numbers on a bulk mailing last January; seven Maine residents were affected.
* 58 pages of insurance information were lost in September when the U.S. Postal Service allegedly damaged a package shipped by Massachusetts Mutual Life; one Maine resident was affected.
Breaches are already rolling in for 2014. At the top of the tall pile in the AG’s Office, a letter from Home Depot from just last week:
“Three former Human Resources employees have been arrested on allegations that include the unlawful use of personal information (including name, contact information, financial information, drivers license, Social Security numbers . . .”
Forty Maine residents were affected. The U.S. Secret Service is investigating.
What to do as a consumer? Be proactive, and maybe look to Congress.
Easy as dumpster-diving
Three weeks ago, the congressional Committee on Energy and Commerce held a hearing on the alarming uptick of data breaches and whether anything can be done going forward, like new federal laws about reporting a breach or requiring more secure credit cards.
“The states are always progressive on consumer protection legislation,” said Conti. “I’m wondering now if the Target breach has caused so much widespread distress that it might give the Congress some energy to actually pass something.”
(For more on the Maine delegation’s response to addressing the issues, see related story.)
Murphy said Maine credit unions will begin issuing high-tech, European-style credit cards this year, but “we don’t think it’s the magic bullet that some are making it out to be.”
“There’s been tremendous national press about this fix and that fix,” said Pinkham. High-tech cards are part of the long-term solution: “That’s fine for a card-presented sale, but it does nothing for the Internet sale. I can tell you in the Pinkham household, we’re probably buying a lot more through the Internet than we ever were and we’ll continue to do that. We’ve got multiple channels that need to be addressed.”
All three suggest consumers monitor bank, credit union and credit card accounts regularly, whether you suspect a breach or not.
Ed Sihler, technical director at the University of Southern Maine’s new Maine Cyber Security Cluster, goes a step further: For small businesses, designate one office computer for credit card transactions and one office computer for online banking, and don’t use either for anything else, period.
“Don’t surf the web on it,” he said. “Don’t answer your email on it or anything else.”
For consumers, know your web browsers at home, install anti-virus software and be vigilant.
“Target is, in some ways, really a throwback; what happened is the same thing that could have happened back in the days of dumpster-diving for credit card numbers,” Sihler said. “What they did is they copied the credit card information. You’ve got to check your credit card statements. That’s the biggest thing against that kind of fraud.
USM’s Maine Cyber Security Cluster has a special 1,200-square-foot lab under construction now, due to open in June, to work with businesses, consumers and government.
“One of the things we plan to do is release real malware, the sort of things that are not currently picked up by the anti-virus software,” he said. “We can set them loose safely in the lab and see what they do.”
“We’re hoping to launch some classes to talk about this, to show how this works and also show how you can steal data so that the public can actually, in a safe environment, say, ‘Oh wow, I didn’t realize it was that simple for somebody to get at my stuff,'” said Sihler.
This story was updated with the correct spelling of Ed Sihler’s last name at 9:24 a.m. Thursday, Feb. 27.
The Sun Journal asked members of Maine’s congressional delegation about their position on Congress adopting more stringent standards for credit cards and related consumer protections.
U.S. Sen. Susan Collins, co-author of the Cybersecurity Act of 2012 (it failed in a close Senate vote)
“Today, the Internet is under constant attack on all fronts. National Security Agency Director General Keith Alexander blamed cyber attacks for the ‘greatest transfer of wealth in history,’ estimating that U.S. companies lose about $250 billion a year through intellectual property theft, $114 billion to theft through cyber crime and another $224 billion in down time the thefts caused. As General Alexander said, ‘This is our future disappearing before us.’ Experts have repeatedly warned that the computer systems that run our critical infrastructure — our electric grid, water systems, financial networks and transportation systems — are vulnerable to a major cyber attack. A cyber attack is a threat not just to our national security, but also to our economic edge and way of life.
“The data and the headlines make it clear that we have already waited too long to address this escalating threat.”
U.S. Sen. Angus King
“A string of data breaches over the past several months has exposed the financial and personal information of tens of millions of Americans, including many in Maine. Cybersecurity is equally as important to consumer protection as it is to national security. Mainers should not have to live in fear of losing their life savings or having their identity stolen because they used their credit card while shopping online or on Main Street. This is a serious issue and it’s time Congress acts quickly to examine the issue and find solutions that protect consumers.”
U.S. Rep. Mike Michaud
“The House Energy and Commerce Committee has held its first hearings on data breaches and I am following their progress. Clearly, more needs to be done to ensure that Americans can trust that their personal information is safely protected. We need to encourage private-sector stakeholders to adopt next-generation security technology and implement the strongest consumer protections available. I hope that the committee will act with the same bipartisan spirit that led the House to overwhelmingly pass data accountability legislation in 2009.”
U.S. Rep. Chellie Pingree
“I definitely support tougher regulations to protect consumers when their credit card info is stolen and, more importantly, to help keep these thefts from happening in the first place. I’m also concerned about the costs that these data breaches have on small banks and credit unions, who have to bear much of the cost of replacing credit cards.”