Human error in Central Maine Power’s information technology department last year led to the online release of names, addresses and former account numbers of 77,300 customers who were found to be ineligible for low-income bill-paying assistance.

The information was discovered during a Google search in May by a customer who then alerted CMP, which took immediate steps to shut down access to the data and establish new security measures.

CMP’s data network wasn’t hacked or breached from outside, the company stressed, and no other personal data, such as social security numbers or financial information, was visible.

“It was an inadvertent security lapse, but was very limited in scope,” Felicia Brown, chief security officer for Avangrid, CMP’s parent company, told the Press Herald on Wednesday. “There was not a breach of CMP’s system.”

Because company lawyers and management considered the incident to be minor, CMP concluded there was no need to notify the Maine Public Utilities Commission. But following repeated queries over the past two weeks from the Portland Press Herald, the company on Tuesday phoned and briefed the chairman of the PUC, the Office of Public Advocate and the office of Gov. Paul LePage.

After reviewing the situation on Wednesday, the PUC said it was critical for utilities to protect consumer information, but that the agency didn’t find fault with how CMP handled this problem. 

Advertisement

“Based on the information provided to the commission by CMP and the commission’s follow-up inquiry, no public utility rule or law was violated,” the agency said in a statement.

But Barry Hobbins, the Public Advocate who’s charged with protecting the interests of utility consumers, said state statutes and PUC rules around reporting data releases such as this one are unclear. He said that after consulting Wednesday with PUC Chairman Mark Vannoy, the Public Advocate’s office drafted a letter to the PUC  proposing that rules be updated to require utilities to report any releases of personal information about their customers.

“The point,” Hobbins said, “is that there should no question, and no judgment call, no unilateral decision. The best way is to make it mandatory, by rulemaking, immediately.”

A rulemaking case at the PUC opens a docket in which interested parties are notified and can weigh in. Hobbins stressed that this process isn’t an investigation, but a way to update and clarify existing statute dealing with confidentiality of customer records.

Legal issues aside, Hobbins also questioned whether management exercised good judgment, at a time when CMP is facing astorm of attacks for how it treats and bills customers, and whether it’s telling the truth about problems at the utility.

In an August interview with the Press Herald, the company’s new president and CEO, Doug Herling, acknowledged that the company needed to rebuild trust with customers and regulators. He said CMP was probably Maine’s most mistrusted company at the moment.

Advertisement

“With all these controversial issues on their plate,” Hobbins said, “to add another one. It just gives you pause.”

John Carroll, a spokesman for CMP and Avangrid, said he could understand that reaction. He acknowledged that “people with different agendas will use it for their purposes.”

But cybersecurity, Carroll said, is a daily challenge at companies such as CMP and addressed on an ongoing basis.

“This is one more example,” he said. “It didn’t rise to the level (of reporting) at the time. Not everyone reports every near miss.”

CMP’s Electricity Lifeline Program, known as ELP, helps year-round, low-income customers pay their power bills. Residents who are eligible for the state-run home energy assistance, live in subsidized housing or use oxygen pumps or ventilators may qualify for ELP.

To determine eligibility, CMP works with regional low-income assistance agencies, which vet applicants. If they don’t qualify, CMP sends those customers a form letter to let them know. It was these form letters, dating back nine years or so, that were stored on a server when files were routinely moved by CMP’s IT department last October.

Advertisement

Those files can be seen by the assistance agencies but are password protected. During the moving process, someone forgot to re-establish security protocols, said Brown, the security officer for CMP’s parent company.

The problem came to light in May, when the customer called CMP after discovering her name, address and former account information during a Google search.

After determining the scope of the problem, CMP notified the customer and prevented further access to the information. It then created a new level of security to view the eligibility information, Brown said, and set up a monthly scan of search engines. It also is deleting old applications.

Despite pledges to be more transparent, CMP has been reluctant to publicly divulge this sequence of events.

The Press Herald first reached out to CMP on Sept. 24 to ask about any data breach or customer data being hacked. Gail Rice, CMP’s spokeswoman, replied by email on Sept. 26 that the utility is, “not aware of any incidents this year of CMP customer data being hacked.”

Later that day, the Press Herald made a follow-up query: “Has any confidential customer information been made public this year?”

Rice replied that was a different question and would look into it.

Then last Thursday, Rice said she needed some more details for what appeared to be customer-specific information. On Monday, the Press Herald asked if the breach was linked to the Lifeline program. Rice replied that she was checking.

On Tuesday, Carroll reached out to the newspaper to say he could discuss the issue Wednesday, and set up a conference call with Brown. Carroll said the company alerted the PUC and Hobbins the day before, so they wouldn’t be caught off guard by a news story.

filed under: