Data Security Incident


Letter from the President
Frequently Asked Questions
Frequently Asked Questions Specific to Identity Theft
Frequently Asked Questions Specific to FAFSA
Information About Identity Theft Prevention


Letter from the President


April 11, 2016

Rockhurst Faculty, Staff and Student Employees:

I write to inform you of a data security incident involving personal information and how we are addressing it. The incident occurred on Monday, April 4, 2016. We discovered it on Wednesday, April 6, 2016. The privacy and protection of your personal information is a matter of the utmost importance, and we moved swiftly and diligently to resolve the incident and mitigate any potential harm.

The breach involved the disclosure of employee IRS W2 forms to a third party.  Through our investigation, we have learned that the University was targeted by individuals who obtained this information through a “phishing” scam, in which a University administrator’s email address was impersonated.

Based on current information, we believe the disclosure affects all Rockhurst employees who were employed in the 2015 calendar year. The W2 forms that were stolen include employee names, mailing addresses, salary amounts, withholding amounts, and Social Security numbers. Bank account numbers, PIN numbers, security codes, and credit card numbers were NOT released.

The University has reported this incident to the FBI and state and local law enforcement, and is cooperating with any investigations. Notification was not delayed as a result of any law enforcement investigation. We have also notified the IRS, which will be monitoring for the filing of fraudulent tax returns based on the disclosed information. The University is also notifying major credit reporting agencies.

In addition, the University is arranging identity theft and credit monitoring protection for all affected employees, free of charge. We have arranged to have AllClear ID protect your identity for the next two years at no cost to you. The identity theft protection services start on the date of the incident, April 4, and you can use them at any time during the next two years.

You may sign up for the credit monitoring protection using the unique redemption code that has been mailed to the address we have on file for you. If you have not received your letter and code by the end of the day on Monday, April 18, or if you wish to obtain your code in advance of receiving your letter, Laura Mortensen in the finance office at 816-501-4835 for assistance. The finance office is open weekdays from 8:00 to 4:30.

I strongly encourage you to review the information about identity theft protection included below. If you have questions or concerns, please do not hesitate to contact Gerald Moench at 816-501-4862 or Gerald.Moench@Rockhurst.edu. Please note: Additional steps may be required by you in order to activate your phone alerts and monitoring options.

I have the highest regard for you as a companion in our Jesuit enterprise of higher education and respect the privacy of your information. I apologize for the disruption the data breach causes you in your personal life and professional work. I’m angered that someone chose to victimize our institution and the good people that contribute to its important work. And I acknowledge and accept that you may be angry, frustrated and/or frightened, but I ask and hope for your participation and assistance in addressing this situation. Our University will continue to work expeditiously to minimize the harm resulting from this security incident.  We will aggressively pursue measures to prevent a similar occurrence in the future. To that end, we’re working with the authorities, our insurance company, legal counsel, other institutions and experts to identify best practices for getting ahead of schemes like these that, unfortunately, continue to surface.

The best way for us to procced, as a Jesuit institution, I contend, is found in the practice of our core value of cura personalis. It invites us, in mutual concern and in collective movement, towards union with the God who creates and sustains us.  I invite all of us to keep this in mind as we continue to address the immediate and longer term impacts of the data breach. Together, in God's love and grace, we will be able pursue the appropriate resolutions for what is needed now and for what we will need to do for our future.

In companionship,

(Rev.) Thomas B. Curran, S.J.

President

Rockhurst University



Frequently Asked Questions


  1. What happened?
    1. A data security incident involving personal information. The breach involved the disclosure of employee IRS W2 forms to a third‑party.  Through our investigation, we have learned that the University was the target of criminals who obtained this information through a phishing scam in which a University administrator’s email address was impersonated.
    2. Based on current information, we believe the disclosure affects all Rockhurst employees that were employed during 2015. The W2 forms that were released include employee names, mailing addresses, salary amounts, withholding amounts, and social security numbers.  Bank account numbers, PIN numbers, security codes, and credit card numbers were NOT released.
    3. This is a sophisticated scheme, other companies have been hit, and the authorities/IRS are well aware of it.

  2. Who was responsible for the security of my information?
    1. Rockhurst University takes the security of your information very seriously.  A third-party criminal obtained your information by fraudulently impersonating a University administrator’s email address.  You may have heard of similar types of scams happening in other institutions, within and beyond academia. We are taking steps to notify and train employees so that they are more able to recognize these sophisticated fraud schemes. 

  3. How did you learn about it?
    1. We discovered this when an employee noticed an anomaly in an email address being used and asked the IT department to investigate.  

  4. When did you learn about it?
    1. The incident occurred on Monday, April 4, 2016. We discovered it on Wednesday, April 6, 2016.  The privacy and protection of your personal information is a matter of the utmost importance, and we moved swiftly and diligently to resolve the incident and mitigate any potential harm.

  5. Why is there such a gap of time before you notified us?
    1. As soon as we became aware of the situation, we notified the authorities as well as the appropriate campus leadership. We had to very quickly determine the scope of the matter, the legal obligations and concerns, the process with the authorities and the best course of action. We immediately looked into and hired a firm with experience in handling these issues and engaged in their process within 48 hours of learning of the matter. We did our best to balance the need for swift communication with the importance of fully understanding the scope of the crime and the best course of action for all individuals and relevant regulators and investigators.

  6. What actions did the University take when it learned of the incident?
    1. The University has reported this incident to the FBI and state and local law enforcement, and fully intends to cooperate with any investigations.  We have also notified the IRS, which will be monitoring for the filing of fraudulent tax returns based on the disclosed information.  The University is also in the process of notifying major credit reporting agencies.

  7. Has my identity been stolen?
    1. No. Personal information has been stolen, and that’s why we’re taking and recommending steps to protect your identity.

  8. Has anyone who had their W-2 information stolen uncovered any fraudulent/criminal behavior?
    1. Unfortunately, we have learned that there have been some attempts to file fraudulent tax returns. We strongly encourage everyone who was affected by this breach to be vigilant and work with our protection service to mitigate against any similar attempts.

  9. Were there other individuals affected by this breach, or am I the only one?
    1. All of Rockhurst’s employees were affected by this incident.  Additionally, through our investigation, we learned that many different organizations around the country have been targeted by similar fraudulent attacks where confidential information was obtained by criminals.

  10. Was my spouse or other family members’ information also affected?
    1. No.  Only employees of Rockhurst during the 2015 calendar year were affected.

  11. How do I know if fraudulent activity has taken place? What’s the process for reporting?
    1. The letter we sent you outlines steps to protect and monitor your financial and personal information.

  12. How can I trust my information will be safe in the future?
    1. Unfortunately, in this day and age, criminals are becoming more sophisticated in their efforts to steal information and threaten cybersecurity. The steps we outlined will help you monitor and protect your information, and the University plans to provide services for two years or longer if necessary.

  13. How do we work to prevent this from happening in the future?
    1. We are in consultation with the authorities, our insurance carrier, other institutions and third party experts to learn about and adopt best practices for preventing a violation like this from happening again. We are training employees to be able to recognize these types of sophisticated fraudulent schemes.  We are also exploring how we might implement additional technical safeguards specific to our email systems and processes.

  14. What are you doing to rectify the situation?
    1. The University has arranged identity theft/credit monitoring protection for all affected employees, free of charge. We have arranged to have AllClear ID protect your identity for the next two years, or longer if necessary, at no cost to you. The following identity theft protection services start on the date of the incident, April 4, 2016, and you can use them at any time during the next two years:
      1. AllClear SECURE: The team at AllClear ID is ready and standing by if you need identity repair assistance. This service is automatically available to you with no enrollment required. If a problem arises, simply call 855-434-8076 and a dedicated investigator will help recover financial losses, restore your credit and make sure your identity is returned to its proper condition.
      2. AllClear PRO: This service offers additional layers of protection including credit monitoring and a $1 million identity theft insurance policy. For a child under 18 years old, AllClear ID ChildScan identifies acts of credit, criminal, medical or employment fraud against children by searching thousands of public databases for use of your child’s information. To use the PRO service, you will need to provide your personal information to AllClear ID. You may sign up online at enroll.allclearid.com or by phone by calling 855-434-8076 using the unique redemption code that has been mailed to the address we have on file for you. If you have not received your letter and code by the end of the day on Monday, April 18, or if you wish to obtain your code in advance of receiving your letter, you may call Laura Mortensen in the finance office at 816-501-4835 for assistance. She will have access to the redemption codes starting on April 14, 2016. The finance office is open weekdays from 8:00 am to 4:30 pm.

  15. What happens after two years?
    1. We will evaluate the remaining risk at that time with the ClearID experts and extend the service if warranted.

  16. What do I need to do?
    1. Sign up for the free ID theft protection service and the credit monitoring service. You may want to check the activity in all of your accounts and the status of your tax return as well.

  17. What additional steps can I take?
    1. In addition to signing up for the ID theft protection service and the credit monitoring service that Rockhurst will provide, employees should consider establishing additional security for:
      1. Bank accounts (this can be done online to restrict online access, and by telephone to prevent unauthorized telephone transactions).
      2. Investment accounts (call your advisors to set up).
      3. Retirement accounts (call your advisors to set up). See the following information about how to contact TIAA-CREF.

  18. Is my TIAA-CREF retirement account safe?
    1. TIAA-CREF is aware of the security breach and they stand ready to assist you in elevating the security on your account. Their National Call Center’s phone number is 800-842-2776 and their hours of operation are Monday through Friday from 7:00 a.m. to 9:00 p.m. central time. A verbal password can be added to an account with a National Call Center Consultant, after verification (see below) or a written signed request is received. In order to change and/or delete the verbal password on file, it is required to be requested in writing. TIAA’s address for written correspondence is:

      TIAA
      PO Box 1259
      Charlotte, NC 282001

      All correspondence should include the employee’s TIAA account number.

      TIAA’s verification process is as follows: For an inbound callers, information such as name, social security number, employee ID number, and employer name are NOT sufficient to verify someone. Rather, the National Call Center Consultant will ask the caller to provide other information that is unique to them personally and also unique to TIAA’s relationship and contract with Rockhurst. The National Call Center Consultants have a bank of many different questions that are rotated for each call received and the type of requests the caller is making.

      Employees are also encouraged to utilize TIAA’s online services to monitor their retirement accounts./li>

  19. Has the person who stole the information been caught?
    1. Not to our knowledge. We are cooperating with law enforcement agencies and hope that those responsible will be caught and prosecuted, although we recognize that these types of criminals are difficult to identify

  20. Will we receive any additional information or updates?
    1. Yes. We will share any new information and updates, as appropriate. We will post any information as well as updates on the University’s website at Rockhurst.edu/databreach

  21. Who can I speak to?
    1. The knowledgeable professionals at AllClear ID are your best source of information. You can call them at 855-434-8076.

  22. Can I speak to someone at the University?
    1. The University scheduled information sessions on April 14 and April 15 to review the information found here. If you still have questions, call Gerald Moench, CFO, at 816-501-4862.

  23. I contacted a credit agency to place an extended fraud alert on my credit report and also a credit freeze on my credit file. The credit agency asked me to provide a valid crime report on the data breach incident from a law enforcement agency. Where can I find this report?
    1. The crime report can be found at http://www.rockhurst.edu/databreach/kcpdreport

  24. I recently received a call from the IRS stating that I owed them for back taxes and threatening to take legal action against me unless I paid them immediately. Is this legitimate?
    1. We believe this to be a scam, possibly related to the data breach incident. You should report this immediately to the IRS at the following web address: https://www.treasury.gov/tigta/contact_report_scam.shtml. If you provided the caller with sensitive information or money, in addition to reporting the incident to the IRS you should also report the incident to AllClear ID. When speaking with All Clear ID you should ask to speak to an investigator.


Frequently Asked Questions Specific to Identity Theft


  1. I filed an application for extension of time to file my 2015 tax return, what should I do?
    1. The most effective way to mitigate tax identity theft is to file your return as soon as possible. You can call the IRS identity theft special assistance at 800-908-4490 and they can tell you if a return has already been filed using your social security number. Even though spouse’s social security numbers were not disclosed to a third party in this data breach, it may behoove you to also inquire about your spouse’s social security number when speaking with the IRS.

  2. If I received a W-2 for 2015 but was not required to and did not file a 2015 tax return, what should I do?
    1. You are encouraged to file your 2015 tax return as it’s the most effective way to mitigate the risk of tax identity theft.

  3. Could the data breach affect my state tax returns?
    1. Yes. If you know you are a victim of state tax identification theft then you should immediately contact AllClear ID and they will guide you through the process. If you are uncertain as to the status of your 2015 state tax return filings then you should contact the appropriate taxing authorities in the states where you file. The number to call in Missouri is 573-751-3505. The number to call in Kansas is 785-368-8222.

  4. What protection does IRS form 14039 provide me?
    1. If you have been a victim of tax identity theft, the filing of form 14039 will ultimately result in the IRS issuing to you a unique “IP-PIN” that you will be required to use in order to file future tax returns. The IP-PIN is specifically designed to prevent you from becoming a tax identity theft victim in the future.

      If you have not been a victim of tax identity theft and you are filing form 14039 as a precautionary measure, the IRS is unlikely to issue an IP-PIN to you. Rather, the IRS will place a “marker” on your account which will subject your account to a higher level of IRS scrutiny, but a marker will not prevent your tax identity from being stolen. Keep in mind that after filing the form 14039 as a precautionary measure, if you later become a tax identity theft victim then you will likely be required to file form 14039 again.

NOTE: You should consider contacting the taxing authorities in the states in which you file a tax return to inquire about similar precautionary measures.

Frequently Asked Questions Specific to FAFSA


  1. How is the information provided to the U.S. Department of Education related to my Free Application for Federal Student Aid (FAFSA) protected?
    1. The U.S. Department of Education’s Office of Federal Student Aid provides a number of security protections for your FAFSA information. It protects your FAFSA information through processes including encryption, username (FSA ID) and password protection, requiring valid email addresses, and requiring identity verification through security questions called “challenge questions.” The Department uses special software programs to monitor for unauthorized attempts to upload or change information, and has hardware, facilities, and personnel controls in place as well.

      Note that, if you have authorized it to do so, the Department may share your financial aid information with state agencies or schools you are thinking about attending. The Department may disclose your information to other entities—including private firms, the Internal Revenue Service, and other government agencies—in some circumstances, and those other entities must maintain safeguards identified in relevant statutes. Also, the Department may send your information to your parents or spouse if they provided information on your FAFSA. Click here for complete FAFSA Privacy & Security Information.

  2. What steps can I take to protect the personal information provided to the Department of Education related to my FAFSA?
    1. Be sure to keep your FSA ID, password, answers to your challenge questions, and any hard or electronic copies of your FAFSA private. You may update your FSA ID and password by selecting “Edit My FSA ID” on the FAFSA Login Page. You can also use this page to update your challenge questions.

  3. Who can I contact with concerns about the security of my FAFSA information?
    1. Contact the Federal Student Aid Information Center at 1-800-4-FED-AID (1-800-433-3243) if you are concerned that your FAFSA information has been misused.


Information About Identity Theft Prevention

We recommend that you regularly review statements from your accounts and periodically obtain your credit report from one or more of the national credit reporting companies.  You may obtain a free copy of your credit report online at www.annualcreditreport.com, by calling toll‑free 1‑877‑322‑8228, or by mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348‑5281.  You may also purchase a copy of your credit report by contacting one or more of the three national credit reporting agencies listed below.

Equifax: P.O. Box 740241, Atlanta, Georgia 30374‑0241, 1‑800‑685‑1111, www.equifax.com

Experian: P.O. Box 9532, Allen, TX 75013, 1‑888‑397‑3742, www.experian.com

TransUnion: P.O. Box 1000, Chester, PA 19022, 1‑800‑888‑4213, www.transunion.com
 

When you receive your credit reports, review them carefully.  Look for accounts or creditor inquiries that you did not initiate or do not recognize.  Look for information, such as home address and Social Security number, that is not accurate.  If you see anything you do not understand, call the credit reporting agency at the telephone number on the report.

We recommend you remain vigilant with respect to reviewing your account statements and credit reports, and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities, including local law enforcement, your state’s attorney general and/or the Federal Trade Commission (“FTC”).  You may contact the FTC or your state’s regulatory authority to obtain additional information about avoiding identity theft.

Federal Trade Commission, Consumer Response Center

600 Pennsylvania Avenue, NW, Washington, DC 20580

1‑877‑IDTHEFT (438‑4338), www.ftc.gov/idtheft

For residents of Massachusetts: You also have the right to obtain a police report.
 

Fraud Alerts: There are also two types of fraud alerts that you can place on your credit report to put your creditors on notice that you may be a victim of fraud: an initial alert and an extended alert.  You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft.  An initial fraud alert stays on your credit report for at least 90 days.  You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof.  An extended fraud alert stays on your credit report for seven years.  You can place a fraud alert on your credit report by calling the toll‑free fraud number of any of the three national credit reporting agencies listed below.

Equifax: 1‑888‑766‑0008, www.equifax.com

Experian: 1‑888‑397‑3742, www.experian.com

TransUnion: 1‑800‑680‑7289, fraud.transunion.com
 

Credit Freezes (for Non‑Massachusetts Residents): You may have the right to put a credit freeze, also known as a security freeze, on your credit file, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate a freeze.  A credit freeze is designed to prevent potential credit grantors from accessing your credit report without your consent.  If you place a credit freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze.  Therefore, using a credit freeze may delay your ability to obtain credit.  In addition, you may incur fees to place, lift and/or remove a credit freeze.  Credit freeze laws vary from state to state.  The cost of placing, temporarily lifting, and removing a credit freeze also varies by state, generally $5 to $20 per action at each credit reporting company.  Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company.  Since the instructions for how to establish a credit freeze differ from state to state, please contact the three major credit reporting companies as specified below to find out more information:

Equifax: P.O. Box 105788, Atlanta, GA 30348, www.equifax.com

Experian: P.O. Box 9554, Allen, TX 75013, www.experian.com

TransUnion LLC: P.O. Box 2000, Chester, PA, 19022‑2000, freeze.transunion.com

You can obtain more information about fraud alerts and credit freezes by contacting the FTC or one of the national credit reporting agencies listed above.
 

Credit Freezes (for Massachusetts Residents): Massachusetts law gives you the right to place a security freeze on your consumer reports.  A security freeze is designed to prevent credit, loans and services from being approved in your name without your consent.  Using a security freeze, however, may delay your ability to obtain credit.  You may request that a freeze be placed on your credit report by sending a request to a credit reporting agency by certified mail, overnight mail or regular stamped mail to the address below:

Equifax: P.O. Box 105788, Atlanta, GA 30348, www.equifax.com

Experian: P.O. Box 9554, Allen, TX 75013, www.experian.com

TransUnion LLC: P.O. Box 2000, Chester, PA, 19022‑2000, freeze.transunion.com
 

Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company.  The following information should be included when requesting a security freeze (documentation for you and your spouse must be submitted when freezing a spouse’s credit report): full name, with middle initial and any suffixes; Social Security number; date of birth (month, day and year); current address and previous addresses for the past five (5) years; and applicable fee (if any) or incident report or complaint with a law enforcement agency or the Department of Motor Vehicles.  The request should also include a copy of a government‑issued identification card, such as a driver’s license, state or military ID card, and a copy of a utility bill, bank or insurance statement.  Each copy should be legible, display your name and current mailing address, and the date of issue (statement dates must be recent).  The credit reporting company may charge a reasonable fee of up to $5 to place a freeze or lift or remove a freeze, unless you are a victim of identity theft or the spouse of a victim of identity theft, and have submitted a valid police report relating to the identity theft to the credit reporting company.

IRS: You may obtain information about tax‑related identity theft from the IRS at https://www.irs.gov/uac/Taxpayer‑Guide‑to‑Identity‑Theft.

U.S. Department of Education: You may also obtain additional information about steps you can take to protect yourself from identity theft from the U.S. Department of Education’s Office of Inspector General at http://www2.ed.gov/about/offices/list/oig/misused/idtheft.html.