A laptop’s stolen in Seattle and 205 Starbucks employees in Maine get word that a thief has their Social Security numbers.

The World Bank slips up and posts payroll records online. For four Mainers that means the very public outing of their bank account numbers.

A Fox Entertainment employee in Los Angeles pokes around company files containing Social Security numbers and salaries, and, hello — sees three that belong to Mainers.

It happens more frequently than you’d guess.

Since March 2008, when a major digital security breach at Hannaford made headlines, state agencies in Maine have received more than 200 breach notifications, each time with someone’s sensitive information exposed. A Sun Journal analysis of those records found that more than 24,000 Mainers have had their computerized personal data compromised by merchants, employers, insurance companies and financial institutions over the past 21 months.

Sometimes, the information has been hacked. Sometimes, outright stolen. Sometimes, lost. Other times, miss-sent. Each time, those people are potentially exposed to financial havoc.

And sometimes, as Fox wrote to the Maine Attorney General’s Office: “The investigation suggests that the confidential data was used to annoy selected individuals.”

With so much personal data entrusted to others on a daily basis — to banks when you set up an account, to stores every time you swipe a debit or credit card, to the workplace when you apply for a job — state records revealed there was often little an individual could have done to avoid getting swept up in any of those 200-plus breaches.

“It almost seems like you’re helpless,” said Andrew Grover, vice president and risk manager at Androscoggin Bank.

But experts agree there are some things you can do to try to protect yourself and precautions to take after receiving a breach notice. They also offered bits of cold comfort.

Even though a breach can lead to identity theft, it doesn’t always. And, with so many breaches going on, so much flowing data is actually depressing the black market for stolen personal information.

Grover says you’re not worth as much, illegally, as you used to be.

Reporting to the state

Maine law requires that businesses and employers notify the state and any affected individuals living here whenever they’ve experienced a computerized security breach.

They’ve come in from businesses and agencies large and small. Bristol-Meyers Squibb. Motorola. Saks Fifth Avenue. MetLife. Bowdoin College. The Maine Department of Health and Human Services. A kids’ camp named Camp Starfish.

Five state agencies collect breach notices. The Attorney General’s Office receives them from merchants, which accounted for 164 of the roughly 210 breaches brought to the state’s attention between April 2008 and December 2009.

They span all manner and matter.

Broome Community College in New York accidentally printed 25 Maine alumni’s Social Security numbers on the mailing labels of their alumni magazines. When hackers broke into Slimfast.com, 48 Maine people had their names, addresses, birth dates, heights — but not weights and financials — laid bare.

At least 24 Mainers were affected when they logged on to their CheckFree bill-pay accounts over a 10-hour period and got rerouted to a server in the Ukraine … with nasty malware lying in wait.

The single most common means of a merchant breach? Personal data left on a laptop that’s later stolen or lost.

At Verso Paper, 1,435 people were notified after an employee left a laptop filled with former and current workers’ names and Social Security numbers on an airplane. Before Cabela’s officially opened in Scarborough, a laptop stolen off that job site left 120 applicants’ most personal information out of the outfitter’s hands overnight.

And in Missouri, a computer taken during a break-in at Anheuser-Busch contained more than 80 Maine people’s marital status, ethnicity, birth dates, addresses and Social Security numbers — more than enough to apply for credit, or anything else, in their names.

The AG’s Office only gets involved if there’s a larger issue to pursue, said Linda Conti, chief of the Consumer Protection Division.

A state survey of Maine banks and credit unions found 64,825 accounts were affected by the TJX breach in the winter of 2007, a case where the state stepped in. The parent company of TJ Maxx and Marshall’s, which Conti said knew it had a weak security system but didn’t want to spend money on an upgrade, entered into a settlement and paid Maine $38,670 last May. It also settled with 40 other states.

The Hannaford case — that same survey counted 243,599 affected accounts — is still ongoing in the AG’s Office two years later.

Conti said she will be looking into a lawsuit filed by the Connecticut Attorney General last week against Health Net after a breach at that company. It lost a portable computer disk drive with personal information on nearly 1.5 million members. A notice sent in November said 472 Maine people were in that group.

“Unless we go back to cash, I don’t know what we can do to stop this or prevent this completely,” Conti said.

After the AG’s Office, the Maine Bureau of Insurance counted the second-highest number of breach notifications at 16. The Bureau of Financial Institutions came in third-highest at 12. The Maine Office of Securities and Bureau of Consumer Credit Protection each had nine.

The Bureau of Financial Institutions counted a single breach in all of 2009, in December at Androscoggin Bank, and it didn’t trace back to the bank itself; that breach may have originated at a liquor store, according to records from Superintendent Lloyd LaFountain III.

Four of his 11 cases in 2008 involved Wyoming banks and missing backup computer tape with account and Social Security numbers, apparently lost in transit.

“There’s always fraudulent or potentially fraudulent activity out there,” said LaFountain, whose office shared its Data Breach Study and survey with the Legislature just over a year ago. “It requires institutions to be very vigilant.”

So my information’s out there. Now what?

A computerized data security breach is largely about possibility.

The possibility that another person saw what escaped out into the world. The possibility that someone stealing a laptop discovers — or even cares — that there’s sensitive information on it, then puts the time into cracking a password or encryption.

The possibility that with that information, another party will use it to rack up charges or steal your identity.

So, say you do get a notice. Then what?

First, don’t panic, Conti said. Watch your financial statements; stay alert.

Know that some credit cards do have a $50 fraud liability limit, according to the Federal Reserve Bank of San Francisco, and some debit cards charge between $50 and $500 or the whole thing if a consumer takes too long to report it.

But in most cases, consumers aren’t liable for charges made without their knowledge.

“The banks assume liability, so it’s not really your problem,” said Professor George Markowsky. He teaches cyber security at the University of Maine, host to the upcoming Northeast Collegiate Cyber Defense Competition in March. (Pros will try to hack into computers, teams of students will try to hold them off.)

He echoed the need for vigilance in looking after credit card and bank statements, and encouraged steps to limit the potential reach of a breach, such as varying your online passwords.

“People have the same passwords for all their accounts. If one account is broken into, then every other account can go,” Markowsky said.

Also, in the workplace, he said, listen to company policy that frequently dictates no storing personnel or customer information on computer flash drives or laptops, and no taking either home. (For more tips for consumers and businesses, see related story.)

Ultimately, very few breaches, at least in Maine so far, rise to the level of identity theft, according to Will Lund, superintendent of the Bureau of Consumer Credit Protection. “If there were 50 or 100 in a year (in Maine,) I would be surprised,” he said.

It’s an important distinction.

“A breach is going to be one card in your wallet,” said Grover at Androscoggin Bank. “People aren’t taking losses. Identify theft, you could wake up and your credit score would be in the toilet because people took out a bunch of loans in your name.”

‘The fraudsters are getting smarter’

It may be impossible to measure the impact on the 24,335-plus people who received breach notices since April 2008, either in money lost out-of-pocket or in accounts canceled and cards reissued. (Twenty-seven companies reported to the state that a breach affected Mainers, but they didn’t provide head counts, leaving the tally unknown.) Records do show many were offered free credit monitoring service after the fact.

Lund’s survey found data breaches cost Maine banks and credit unions $2.1 million in 2007 and 2008, more than half of that in the cost of reissuing cards. Fraud loss related to the TJX breach was estimated at $36,200; the Hannaford breach, $299,500.

“Since we’re owned by our members, ultimately that cost is absorbed by our member-owners,” said Jon Paradise, spokesman for the Maine Credit Union League.

Financial institutions know they’re targets. Grover said Androscoggin Bank uses a processor with a fraud-noticing system that monitors strange activity and outside patterns, say, paying for something with the swipe of a card in Lewiston and 10 minutes later paying for something with a swipe in Florida, a physical impossibility.

“It creates a score. When it hits a certain level, we are alerted,” he said. However: “The fraudsters are getting smarter — they know how to keep under that score.”

Thieves also like to steal and then sit on data, he said, waiting for their virtual trail to go away and the best price to sell.

“I don’t think anybody needs to be scared; they need to be smart,” said Christine Conrad, senior vice president and marketing director at Androscoggin Bank.

A footnote for all this: While state statute says companies have to report breaches, nothing says that information has to be distilled and shared with the Legislature, or even annually reviewed. Some agencies keep the data internally on electronic spreadsheets. At the AG’s Office, where news of a breach arrived about twice a week, letters are read and filed in thick manila folders.

“We have had discussions about looking for trends,” said Conti with the AG’s Office. “It’s not clear to me what, if anything, our next step should be in this arena.”

She said it was unclear whether notifications help consumers or cause more alarm than necessary.

Lund said he believes fewer breaches happen in Maine because the state has fewer people and fewer central repositories for information. Breach records suggest many of the incidents since April 2008 involve crimes and activity taking place outside Maine.

Just the same, “The idea we are (untouched) is a myth,” Lund said. “We are all part of the electronic age.”

kskelton@sunjournal.com

Keeping your information safe

According to our experts, financial security can be as simple as a song, and swearing off your mailbox.

Those experts are:

George Markowsky at the University of Maine, Andrew Grover and Christine Conrad at Androscoggin Bank, Linda Conti at the Maine Attorney General’s Office, Will Lund at the Bureau of Consumer Credit Protection and Benjamin Jordan and Rebekah Higgins at the Maine Credit Union League.

Their advice:

• Bank online: It allows a real-time look at your credits and debits, and avoids the literal paper trail of monthly statements for others to find in your home, mailbox or trash. (Though if you use a laptop via Wi-Fi, make sure you know absolutely whose Wi-Fi you’re connected to.)

• If you’re loathe to give up paper, reconcile your checkbook every month when the statement arrives.

• When you see a charge that doesn’t belong to you, don’t be shy — call the credit card company or your financial institution ASAP. Spot it soon enough and you likely won’t be liable.

• In that spirit, seek out and use a card with zero consumer fraud liability.

• If you have been the victim of identity theft, call local police to file a report. It can provide stronger footing to fight any errant charges/accounts if you have a police report in hand.

• Mind your sensitive documents (monthly or quarterly statements, credit card offers, etc.). When you’re ready to toss them, shred them. Androscoggin Bank just started offering Free Shred Fridays — for customers and non-customers — to drill that point home.

• Use different passwords for different online accounts and do not write them down. Think of a lyric or an easy-to-remember phrase, use the first letter of every word, then tack on an easy-to-remember number. Grover gave a primer: “For example: ‘My password for Androscoggin Bank is great’ = ‘mpwfabig’. You can enhance complexity by capitalizing letters, mixing in numbers and symbols. For example: ‘My pass word for Androscoggin Bank is great!’ = ‘mpw4ABig8!'”

• Grover said PINs are more difficult. “But again, think of a sentence. For example: ‘1234′ could be remembered as ‘Tom Brady #12, won 3 Superbowls in 4 years.'”

• Make sure firewall and anti-virus software is up to date. Try Google Pack’s free Spyware Doctor with Anti-Virus. It’s found by going to Google, hit “more,” then “even more” and scroll to the bottom of the screen.

• While putting data on a laptop, ask, “What’s the worst that could happen if someone stole this?”

• For businesses, institute rules: Who can take data home, if at all, how and when. Then, this is important: Follow them. Also take the time to encrypt.

• Stay away from suspect Web sites; ditto with suspect e-mail.

• Phone and e-mail phishing scams are still alive and well. Don’t give your full Social Security number or bank account number to anyone calling or writing to confirm information.

• When paying online at a merchant’s Web site look for “s” in the url, as in “htpps.” It stands for secure.

• When hiring employees, do background checks. “Some crimes don’t change. Hiring a bad employee — they can get around anything,” Grover said.

• Let your financial institution know when you’re traveling, but don’t let the virtual world know when you’re away.

• Give your credit report a checkup to make sure no strange accounts have crept in. Everyone in Maine is entitled to one free credit report per year at www.annualcreditreport.com.

• Say goodbye to mailing bills from your mailbox at home. Data thieves see that little red flag, too. Pay online or drop letters in a postal box.

• Don’t self-breach on social networking sites like Facebook. Mind how much information you put out there and don’t leave familial clues that let strangers figure out your mother’s maiden name, a common security question.

“If I had small children, the last thing I would do is put their names and pictures online,” Markowsky said. “I would worry more about keeping family from really creepy people than losing $50 on a credit card.”

kskelton@sunjournal.com

E-mail mistake
Sea Ray Boats
4 Mainers affected
“A Sea Ray employee unintentionally e-mailed to 698 Sea Ray dealership personnel a document containing personal information, including name, contact information and Social Security number of 341 of the individuals who were included on the e-mail.” E-mail recalled within the hour.
Mail mistake
Finance Authority of Maine
132 Mainers affected
While mailing 1099-Q forms to State of Maine Grant recipients, “the social security number of some individuals was placed on forms with the name and address of another individual. The forms were then mailed out to the latter individual.”
Laptop stolen
Blue Cross Blue Shield
6,334 Mainers affected
An “employee transferred certain provider data, including the provider name, address, tax ID, Social Security number and National Provider Identifier … to a personal laptop to complete work-related analysis.” Laptop later stolen.
Laptop stolen
Fairpoint Communications
1,721 Mainers affected
“We discovered that a portable data device containing personal information about our current and former employees had been missing for perhaps as much as approx. two weeks from a FairPoint office location. Included on the device was … names, home address and phone numbers, Social Security numbers, birth dates and certain compensation and employment information.”

Server hacked
Batteries.com
620 Mainers affected
The company’s server was hacked, potentially over a two-month period from February to March; customer information like names and credit cards breached.
Laptop and flash drive stolen
Kraft Foods
14 Mainers affected
“In mid-August 2009, a Kraft-Foods owned laptop computer and USB flash drive were stolen from the car of an employee. The computer and flash drive contained personally identifiable information concerning Kraft Foods employees and benefit plan participants.”
Hacker
Wyndham Hotels and Resorts
337 Mainers affected
A “sophisticated hacker” used malware to get credit card information: “This incident was identified when Wyndham received information that certain fraudulent credit card transactions were possibly traced back to one of our hotels.” Breach discovered in May, on the heels of “the 2008 Data Incident.”
Hacker
Miss Ellie’s Coffee.org
60 Mainers affected
Hacker got into files on its e-commerce site, potentially over a two-month period from June to July. Breach to customer names and credit cards.

A sampling of breaches from state records between April 2008 and December 2009

E-mail mistake
Sea Ray Boats
4 Mainers affected
“A Sea Ray employee unintentionally e-mailed to 698 Sea Ray dealership personnel a document containing personal information, including name, contact information and Social Security number of 341 of the individuals who were included on the e-mail.” E-mail recalled within the hour.
Mail mistake
Finance Authority of Maine
132 Mainers affected
While mailing 1099-Q forms to State of Maine Grant recipients, “the social security number of some individuals was placed on forms with the name and address of another individual. The forms were then mailed out to the latter individual.”
Laptop stolen
Blue Cross Blue Shield
6,334 Mainers affected
An “employee transferred certain provider data, including the provider name, address, tax ID, Social Security number and National Provider Identifier … to a personal laptop to complete work-related analysis.” Laptop later stolen.
Laptop stolen
Fairpoint Communications
1,721 Mainers affected
“We discovered that a portable data device containing personal information about our current and former employees had been missing for perhaps as much as approx. two weeks from a FairPoint office location. Included on the device was … names, home address and phone numbers, Social Security numbers, birth dates and certain compensation and employment information.”

Server hacked
Batteries.com
620 Mainers affected
The company’s server was hacked, potentially over a two-month period from February to March; customer information like names and credit cards breached.
Laptop and flash drive stolen
Kraft Foods
14 Mainers affected
“In mid-August 2009, a Kraft-Foods owned laptop computer and USB flash drive were stolen from the car of an employee. The computer and flash drive contained personally identifiable information concerning Kraft Foods employees and benefit plan participants.”
Hacker
Wyndham Hotels and Resorts
337 Mainers affected
A “sophisticated hacker” used malware to get credit card information: “This incident was identified when Wyndham received information that certain fraudulent credit card transactions were possibly traced back to one of our hotels.” Breach discovered in May, on the heels of “the 2008 Data Incident.”
Hacker
Miss Ellie’s Coffee.org
60 Mainers affected
Hacker got into files on its e-commerce site, potentially over a two-month period from June to July. Breach to customer names and credit cards.

Copy the Story Link