Credit card information for about 2,000 people who ordered tickets online through PortTix, Merrill Auditorium's ticketing agency, was stolen this week when someone hacked into the PortTix Web site.
The breach was discovered Wednesday after someone called to report the possibility that the information was compromised, said Janice Bailey, PortTix executive director.
She declined to reveal the caller's identity. Bailey said the Web site was secured immediately and an outside audit was performed to make sure the site could not be breached again. Portland police are investigating the breach, she said.
Only people who ordered tickets online for upcoming performances, such as the Jerry Seinfeld and Ian Anderson shows next month, were affected. Any online ticket sales that occurred after Thursday were not affected, nor were subscribers or people who bought tickets by phone or mail, she said.
PortTix alerted affected customers by e-mail to warn them of the breach and the possibility of identity theft. PortTix advised them to contact their credit card companies, monitor the activity on their cards and report questionable charges to Portland police. Letters also were being sent out. By Friday afternoon, police had received no reports of possible identity theft.
Kurt Klebe, a PortTix board member and lawyer at Verrill Dana of Portland, said it is possible that the hacker was a thrill seeker and did not enter the site to steal credit card information.
"It is what we gleaned from a discussion with the third party," he said, referring to the caller who reported the breach.
The incident is among hundreds of cases of data theft reported nationwide. So far this year, more than 90 million records containing sensitive personal information have been breached, according to Privacy Rights Clearinghouse.
The PortTix breach was one of three security breaches at Maine-based companies this year, said William Lund, director of the Maine Office of Consumer Credit Regulation, which keeps an informal list. The PortTix breach was the largest. A breach in May at CUSO Mortgage Co. in Hampden, affecting 1,695 customers, was the next largest.
Lund said the number of breaches at Maine companies could be much larger.
The number of reports could climb because of a new law that requires every business in Maine to notify consumers of security breaches starting Jan. 31. The law was designed to give consumers a chance to prevent identity thieves from harming their credit reports.