PORTLAND (WGME) -- Central Maine Power has confirmed to the CBS 13 I-Team that thousands of customers had some of their personal information exposed online.
It happened in May but was only recently disclosed to state regulators.
CMP is calling this a "limited exposure" of customer information, including names, addresses and account numbers.
The information belongs to about 77,000 low-income customers who didn't qualify for financial help.
CMP is investigating but says there's no evidence the customer information was accessed or misused.
The security issue was disclosed Tuesday to the Office of the Public Advocate and the Public Utilities Commission, according to both agencies.
CMP says its network was never hacked, and blamed human error for the online release of information.
State regulators say based on the information provided by CMP, the company was not required to report the issue.
Public Advocate Barry Hobbins says the only reason CMP disclosed it was because the company knew the media was looking into it.
Less than an hour ago, the I-Team obtained a copy of a letter Hobbins sent to state regulators asking for the rules to be changed, requiring utilities to report this kind of incident.
“We don't need to have these type of potential breaches not being disclosed,” Hobbins said. “I'm disappointed. It's a lack of judgment. It seems to me that no matter whether it's one person or five people, someone should know.”
State Representative Seth Berry (D-Bowdoinham), House chair of the Legislature’s Joint Standing Committee on Energy, Utilities and Technology said he's also concerned about the lack of disclosure.
“Cover-ups from regulated monopolies like CMP are absolutely unacceptable. They hold the keys to our personal data, our money, and our homes. Yet once again, here we are with another cover-up. Once and for all, CMP needs to learn to come clean with regulators and with the public," Berry said in a statement.
A CMP spokesperson says the company doesn't publicly disclose or comment on near-misses because that could undermine security, encourage hackers, or confuse the public.
She said the focus is on identifying the cause and implementing corrective measures.