PORT CLYDE, Maine — The Port Clyde General Store was one of hundreds of companies across the country that had data from its customers’ credit cards breached by hackers recently.
Attorney Stephen Hayes of Augusta, who represents the store, confirmed that the market was notified by police on May 21 that its system for processing credit card payments “had been compromised by a sophisticated group of criminal hackers.”
The failure was discovered during an investigation into data security breaches that struck dozens of businesses in Maine and hundreds across the United States this spring.
State law requires that the Maine attorney general’s office or Maine Department of Professional and Financial Regulation be notified when a company becomes aware that there has been a breach of security of personal information, such as credit card numbers, it holds on customers.
Since May 21, there have been eight other notifications to the attorney general’s office of security breaches, according to information provided by Martha Demeritt, a complaint examiner for the consumer protection division of the AG’s office.
In some instances, there was inadvertent release of private information. But in many of the cases, illegal hacking from outside parties appeared to have occurred.
Hayes was informed by the consumer protection division of the AG’s office that it is not a question of if a consumer will fall victim to a computer attack, but when.
Hayes said he is not aware of any customers reporting fraudulent activities on their credit cards although a few employees had their card information used.
“It is extremely important that our customers carefully scrutinize their credit card accounts for suspicious charges, a precaution that should be part of your normal practice. If you discover anything out of order, please immediately contact your credit card issuer and notify them,” Hayes said in a written statement.
The Port Clyde General Store immediately cooperated with law enforcement, he said, and implemented the additional security measures recommended by police to protect customers’ confidential information.
The security breach, caused by malware designed to avoid industry-standard precautions, lasted for only a few days, Hayes said.
The store uses an outside professional firm to install and manage the hardware and software for its credit card processing and complied with all state and federal requirements, including encryption of customer data and daily erasure of customer information, according to the written statement by Hayes.
Under federal law, credit card customers are responsible for only the first $50 of fraudulent charges, Hayes stated, but many card issuers, including issuers of debit cards, have more generous policies.
Detective Don Murray of the Knox County Sheriff’s Office could not be reached for comment Tuesday but Knox County Sheriff Donna Dennison said he has been working with agencies including the U.S. Secret Service as part of the investigation of the breach involving the Port Clyde store.
Of the eight other security breaches reported to the attorney general’s office, the largest involved approximately 22,900 Maine residents, according to a letter sent to the AG’s office by Vendini Inc., which provides box-office and online ticketing services.
In the letter, Vendini Vice President for Marketing Keith Goldberg states that Vendini detected “an authorized intrusion into its web application server system” on April 25. The intrusion was criminally motivated and may have begun around March 29.
The information exposed included names, addresses, email addresses, telephone numbers, credit card numbers and credit card expiration dates.
Vendini stated it delayed notification from April 25 to May 21 to support an investigation.
Another notification to the state came on behalf of Beachbody LLC, which operates a home fitness program based in Santa Monica, Calif. Beachbody estimates that the personal information of 80 Maine residents may have been compromised.
The breach was first realized this spring when some of its customers reported fraudulent purchases on their credit cards. The company investigated and determined on April 17 that its database had been hacked.
Discover Financial Services notified the state on May 28 that it had determined that several merchants’ computer systems had been compromised in April. Sixty-three Maine residents were affected. The breach did not occur in Discover’s computer system.
YourTel America Inc., which provides telephone service, notified the AG’s office on May 13 that it had a security breach from a national news organization that affected 51 people. The breach was discovered on April 26, according to a letter sent to the state.
The Edgemont Centre, a residential and rehabilitation care center based in Portsmouth, N.H., notified the state on May 28 that there had been a breach of security involving 14 employees who are residents of Maine. In that case, the personal information of employees was sent by the center’s human resources department to an internal email distribution list. The emails were deleted when the company realized what had happened. The company said there is no reason to believe that confidential information was inappropriately accessed.
Another notification came from Piedmont Healthcare P.A. which states that employment applications from five Maine residents were among information compromised by a security breach. The Statesville, N.C-based health care company said that the breach occurred through Web hosting company E-dreamz, which handled job application information for Piedmont, and did not involve any clinical records of Piedmont.
AHW LLC also notified the AG’s office in May 28 that personal information on 10 Maine residents appeared to have been breached from September through December 2012. The information was for people who used Discover cards at e-commerce site Green Fun Store operated by AHW LLC.
And on May 20, TD Bank notified the state that personal information of two customers may have been disclosed inadvertently by a mailing in which the information was visible through the window of the envelope.
If anyone suspects they’ve have been a victim of fraudulent activity at the Port Clyde General Store, call Detective Don Murray of the Knox County Sheriff’s Office in Rockland at 594-0429.
Correction: An earlier version of the story incorrectly stated the location of Piedmont Healthcare. The company is located in Statesville, N.C.