A sophisticated e-mail scam cost a Brunswick-based heating fuel company as much as $150,000 and potentially exposed hundreds of customers' checking account information, the company said Monday – a day when the U.S. Senate's Homeland Security Committee held hearings on cybersecurity.
Downeast Energy and Building Supply learned last week that scammers, apparently in Eastern Europe, had gained access to the bank account the company uses to let customers pay for fuel with electronic transfers from their checking accounts.
"We are continuing to work closely with law enforcement and our bank to ensure that our account is secured, but more importantly to protect our customers," said company President John Peters.
The scam started with an innocent-looking e-mail to a Downeast employee that purported to be from the company's bank. A link on the e-mail, which appeared to be from KeyBank, took the employee to a Web site that was identical to the bank's.
When the company's bank-issued user name and password were entered, the information was sent to the scammers, who used it to steal the money.
Federal officials say Internet criminals are increasingly targeting small and mid-sized companies.
As large companies have gained more sophisticated computer network protection, cybercriminals have adapted and gone after smaller businesses that lack such security, Michael Merritt, assistant director of the Secret Service's office of investigations, told the Senate Homeland Security and Governmental Affairs Committee.
Phil Reitinger, deputy undersecretary in the Department of Homeland Security, said a recent study suggested that as many as 87 percent of data breaches could be avoided with simple to intermediate preventive measures.
Sen. Susan Collins, R-Maine, ranking member on the committee, said that cybercrime has cost the national economy nearly $8 billion.
Data relating to more than 130 million credit and debit cards was stolen from corporations, including the Maine-based Hannaford Bros. supermarket chain.
At Monday's hearing, Collins advocated for legislation to ensure sharing of information about vulnerabilities between government and the private sector.
"As these latest incidents underscore the time has come to move on from simply planning to action," she said.
Peters said lax computer protection was not the problem for Downeast Energy.
"We have spent, and continue to spend on a regular basis, tens of thousands of dollars a year to get the appropriate electronic surveillance systems," he said, noting that the company hires a consultant to try to hack into its systems. "This breach was the result of human error."
The company will consider additional safeguards, he said, such as further restricting employees' access to bank passwords and requiring duplicate authorizations for certain transactions.
State law requires companies to notify customers and the Attorney General's Office about such breaches.
The breach was discovered early last week, and Downeast Energy mailed letters to all 800 affected customers by Friday. Customers probably started receiving letters Monday.
The personal information to which the thieves had access included customers' names, banks and checking account numbers. It did not include telephone numbers or home addresses, or any information associated with credit or debit cards, Peters said.
Customers who might have been affected are encouraged to contact their banks to determine whether additional steps should be taken to secure their accounts. So far, no customers have reported unauthorized account access resulting from the data breach, Peters said.
The loss of $150,000 should not affect the company's operations, Peters said.
"We're very well capitalized," he said. "I don't want anybody to think $150,000 isn't a significant amount of money, but it isn't going to...
Reader comments
Click here to view or add comments on this story
Were you interviewed for this story? If so, please fill out our accuracy form