Update to May 2023 Data Security Incident
Friday, December 29, 2023
Bunker Hill Community College (“BHCC”) experienced a data incident in May 2023 (the “Incident”) that potentially involved certain individuals’ personal information (“Information”). This notice provides you with information about this Incident, our response, and information on where to direct your questions.
What Happened?
On May 23, 2023, BHCC detected irregular activity on certain BHCC systems that was consistent with a ransomware attack. BHCC immediately responded to the situation by taking the affected systems offline, contacting law enforcement, and engaging data security and privacy experts to conduct an investigation. BHCC personnel were able to stop the unauthorized activity from spreading and contained the Incident to a limited number of BHCC systems. BHCC’s backups were not affected by the Incident, and BHCC personnel were able to restore BHCC’s network from those backups without any data loss. As a credit to the existing safeguards that BHCC had in place, BHCC personnel successfully and safely restored BHCC’s network, enabling BHCC to continue with its academic calendar without any delay.
BHCC engaged leading data security professionals to support its investigation and response. BHCC’s investigation has found that an unauthorized actor gained access to BHCC’s network before deploying ransomware. The investigation was also able to confirm that a limited amount of data was copied from BHCC’s network. Accordingly, BHCC reviewed all the relevant data to determine whether any personal information was present so it could notify individuals as appropriate. There is currently no indication that the unauthorized actor has misused any Information for identity theft or fraud in connection with this Incident.
What Information Was Involved?
BHCC’s investigation determined that the following general categories of Information may have been involved in the incident but are not relevant to every individual: name, date of birth, Social Security number, driver’s license number, state identification number, U.S. alien identification number, passport number, financial account number in combination with routing number, credit/debit card number, username and password, medical information, and health insurance information. Again, the circumstances are different for each individual and not every category applies to each individual.
What We Are Doing.
Upon becoming aware of the unauthorized activity, BHCC immediately implemented measures to further improve the security of BHCC’s information technology systems and practices, including resetting and strengthening passwords, implementing new network security tools, and adopting new network access policies. BHCC worked with leading cybersecurity experts to aid in their investigation and response, and BHCC reported this Incident to relevant government agencies and law enforcement.
Additionally, although we are not aware of any misuse of any affected individuals’ Information for identity theft or fraud in relation to the Incident, BHCC is offering free credit monitoring services to potentially affected individuals for 24 months through Experian, which includes Credit Monitoring, Fraud Consultation, and Identity Theft Restoration.
What You Can Do.
BHCC encourages potentially affected individuals to remain vigilant against incidents of identity theft and fraud by reviewing their account statements and monitoring their free credit reports for suspicious activity and to detect errors. Potentially affected individuals can also enroll in the credit monitoring services that we are offering at no cost.
Potentially affected individuals seeking additional information, including information about whether their Information was involved and their eligibility for complimentary credit monitoring, may call our toll-free assistance line at 888-722-9207, Monday through Friday, 9 AM to 9 PM Eastern time.
Other Important Information
Please review the “Information About Identity Theft Protection” section below, which outlines other resources individuals can utilize to protect their Information.
For More Information.
Again, potentially affected individuals seeking additional information, including information about whether their Information was involved and their eligibility for complimentary credit monitoring, may call our toll-free assistance line at 888-722-9207, Monday through Friday, 9 AM to 9 PM Eastern time.
You may also contact BHCC at publicinformation@bhcc.edu.
INFORMATION ABOUT IDENTITY THEFT PROTECTION
Contact information for the three nationwide credit reporting agencies:
Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
Experian, PO Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742
TransUnion, PO Box 2000, Chester, PA 19022, www.transunion.com, 1-800-888-4213
Free Credit Report. It is recommended that you remain vigilant against incidents of fraud and identity theft by reviewing account statements and monitoring your credit report for unauthorized activity. You may obtain a copy of your credit report, free of charge, once every twelve (12) months from each of the three nationwide credit reporting agencies.
To order your annual free credit report please visit www.annualcreditreport.com or call toll free at 1-877-322-8228.
You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s (“FTC”) website at www.consumer.ftc.gov) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
Fraud Alert. You may place a fraud alert in your file by calling one of the three nationwide credit reporting agencies above. A fraud alert tells creditors to follow certain procedures, including contacting you before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit.
Security Freeze. Pursuant to 15 U.S.C. § 1681c-1, you may obtain a security freeze on your credit report, free of charge, to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may also submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report, free of charge, or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.
The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place.
To place a security freeze on your credit report, you may be able to use an online process, an automated telephone line, or a written request to any of the three credit reporting agencies listed above. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, and display your name, current mailing address, and the date of issue.
Federal Trade Commission and State Attorneys General Offices. If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your home state. You may also contact these agencies for information on how to prevent or avoid identity theft.
You may contact the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/, 1-877-IDTHEFT (438-4338).
For California and Wyoming Residents: This notification was not delayed as a result of any law enforcement investigation.
For Colorado Residents: You can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes.
For District of Columbia Residents: You can obtain information about steps to take to avoid identity theft from the Federal Trade Commission (contact information above) and The District of Columbia Office of the Attorney General, 400 6th Street NW, Washington, D.C. 20001, consumer.protection@dc.gov, https://oag.dc.gov/ (202) 442-9828.
For Illinois Residents: You can obtain information from the credit reporting agencies and the Federal Trade Commission about fraud alerts and security freezes (contact information above).
For Iowa Residents: You are advised to report suspected incidents of identity theft to your local law enforcement or the Iowa Office of the Attorney General, 1305 E. Walnut Street, Des Moines IA 50319, consumer@ag.iowa.gov, 1-888-777-4590.
For Maryland Residents: You may obtain information about steps you can take to avoid identity theft from the Federal Trade Commission (contact information above) and the Maryland Office of the Attorney General, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, https://www.marylandattorneygeneral.gov/Pages/CPD/default.aspx, 1-888-743-0023.
For Massachusetts Residents: You have the right to obtain a police report if you are a victim of identity theft.
For New Mexico Residents: Consumers have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in their credit file has been used against them, the right to know what is in their credit file, the right to ask for their credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting bureaus must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to consumers’ files is limited; consumers must give consent for credit reports to be provided to employers; consumers may limit “prescreened” offers of credit and insurance based on information in their credit report; and consumers may seek damages from violators. Consumers may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active-duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage consumers to review their rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.
For New York Residents: You may obtain information regarding security breach response and identity theft prevention and protection information from the Federal Trade Commission (contact information above) and the New York Office of the Attorney General, Office of the Attorney General, The Capitol, Albany, NY 12224-0341, https://ag.ny.gov, 1-800-771-7755.
For North Carolina Residents: You may obtain information about preventing identity theft from the Federal Trade Commission (contact information above) and the North Carolina Office of the Attorney General, Consumer Protection Division, 9001 Main Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov, 1-877-566-7266.
For Oregon Residents: You are advised to report any suspected identity theft to law enforcement, the Federal Trade Commission, and the Oregon Office of the Attorney General, 1162 Court Street NE, Salem, OR 97301, www.doj.state.or.us/, (503) 378-6002.
For Rhode Island Residents: You may obtain information about fraud alerts and security freezes from the credit reporting agencies (contact information above) and the Rhode Island Office of the Attorney General, 150 South Main Street, Providence, Rhode Island, 02903, https://riag.ri.gov/ (401) 274-4400. You have the right to file or obtain any police report in regard to this incident. The number of affected Rhode Island residents is 500.