Data Security Incident

April 23, 2019

Dear Faculty and Staff,

We are writing to inform you about an incident involving the possible exposure of personal information belonging to Seattle University faculty, staff and their dependents.

What Happened

 On March 28, 2019, Seattle University was informed by an employee that an unencrypted university-issued laptop was lost while the employee was commuting on a bus on March 26, 2019. The employee reported the incident to the Department of Public Safety, which contacted King County Metro and the Seattle Police Department, but the laptop has not been located.

After learning of the situation, the university immediately began an investigation led by Information Technology Services and has been able to confirm there were files on the laptop that contained the names and Social Security numbers of 2,102 current and former faculty, staff, and their dependents. Although no files with sensitive data were saved directly to the local hard drive, an offline email cache file on the laptop contained attachments with personal information.  The main file of concern was the result of an isolated incident in which an outside vendor emailed the file in error.    

While we have no evidence that any personal information has been accessed by an unauthorized person, we take this situation very seriously. As a result, we are notifying our campus community of this incident as well as each potentially affected individual.

What We Are Doing

Now that the university has completed its investigation and identified all individuals whose information may have been involved, we are notifying the individuals as quickly as possible.  A personal letter has been sent to those whose information was on the laptop informing them of this incident and explaining the steps we are taking to safeguard them against identity fraud. To help them monitor for any potential misuse of their personal information, the university is providing those community members a complimentary one-year membership in Experian’s® IdentityWorksSM Credit 3B. This product helps detect possible misuse of personal information and provides identity protection services focused on immediate identification and resolution of identity theft.  The personal notification letters include information and instructions about how to access this product. 

We deeply regret this situation occurred and sincerely apologize. Protecting your personal information is one of our highest priorities. Please be assured that we are taking additional steps to further enhance the university’s data security procedures and minimize risk. The university recently hired a Director of Cybersecurity and Risk who has been actively involved in leading the efforts to investigate this incident.  In addition, we are redoubling our efforts to encrypt data on all university-managed laptops.

Questions

If you have any questions, please call 1-866-535-9060, Monday through Friday, from 8:00 a.m. to 5:30 p.m. Central Time to talk to representatives who have been briefed about this incident. You may also find a list of frequently asked questions below. 

Sincerely,

Stephen V. Sundborg, S.J.
President

Chris Van Liew
CIO and Vice President for Information Technology

Michelle Clements
Vice President for Human Resources

Frequently Asked Questions

Why does Seattle University have my personal information?

Seattle University has your personal information because you are a current or former employee or a family member of a current or former employee.

What happened?

On March 28, 2019, Seattle University was informed by an employee that a University-issued laptop was lost while the employee was commuting on a bus. The employee contacted King County Metro and reported the incident to the Department of Public Safety, but the laptop has not been located. The university immediately began an investigation and determined that files on the laptop contained your name and Social Security number.

What personal information may have been involved?

The investigation determined that a file on the employee’s laptop contained the name and Social Security number of 2,102 current and former faculty, staff and their dependents.

Why was I notified?

Protecting employee privacy is a top priority for Seattle University. As a result, the university took immediate steps to address the incident in a timely and thorough manner. This included contacting all individuals potentially impacted by the incident. The university takes this very seriously. There are also state laws that require Seattle University to send potentially affected individuals written notification.

Has Seattle University notified authorities/law enforcement?

Yes. King County Metro, Seattle Police Department and the Department of Public Safety have been notified, but the laptop has not been located.

Did this incident affect all Seattle University employees?

No, this incident did not affect all Seattle University employees. Seattle University only sent notice letters to employees and their family members if their personal information may have been contained on the laptop.

Was my adult family member’s (e.g., spouse) personal information affected?

Seattle University mailed letters to all affected individuals in this incident, so your family member also should have received a letter in the mail if their information was involved.

Unfortunately, the university cannot disclose any information regarding other potential individuals impacted by this incident. Please have your family member call us directly at 1-866-535-9060, Monday through Friday, from 8:00 a.m. to 5:30 p.m. Central Time. 

Was my minor child’s personal information affected?

Seattle University mailed letters to all affected individuals in this incident, including minors, so your child also should have received a letter in the mail if their information was involved. If your child received healthcare benefits through Seattle University or you otherwise provided your child’s name and Social Security number to the university, then your child’s information may have been involved. You may call 1-866-535-9060 and provide your child’s name and address in order to find out if his or her personal information was involved in the incident.

What have you done to keep this from happening again?

Seattle University is taking steps to further enhance the university’s data security procedures, including encrypting data on all university-issued laptops.

Why wasn’t I contacted sooner?

Since the employee notified Seattle University of the lost laptop on March 28, 2019, the university has been working diligently to investigate the incident and identify all individuals whose information may have been involved in the incident. Once Seattle University completed its investigation and identified all individuals whose information may have been involved in the incident, it notified the individuals as quickly as possible.

What are you doing about this?

Seattle University began a thorough investigation to determine what happened and what information may have been involved as soon as it was notified that a laptop had been lost.

Seattle University is committed to protecting the security and confidentiality of personal information and sincerely apologizes for any inconvenience or concern this incident causes you. Seattle University is taking steps to further enhance the univeIrsity’s data security procedures, including encrypting data on all university-issued laptops.

Out of an abundance of caution, Seattle University is offering one year of credit monitoring services.

Are all affected individuals being notified?

Yes, Seattle University conducted a thorough investigation of the data contained on the lost laptop and notified all individuals whose personal information may have been involved in the incident.

What are you doing to ensure that this does not happen again?

Seattle University is taking steps to further enhance the university’s data security procedures, including encrypting data on all university-issued laptops. We also encourage you to take the steps outlined in your letter to protect against identity theft and fraud. The primary step that you can take is to review your financial account statements closely and report any unauthorized charges or suspicious items to your bank immediately.

Why was my Social Security number on the laptop?

The laptop contained files of employees and their dependents enrolled in the university’s benefit plans and related functions. Although no files with personal data were saved directly to the local hard drive, an offline email cache file on the laptop contained attachments with this personal information.  The main file of concern was the result of an isolated incident in which an outside vendor emailed the file in error.

Financial Fraud/Identity Theft Questions

What can I do/What should I do now?

Seattle University encourages you to remain vigilant by reviewing your financial account statements and credit report for any unauthorized activity or services you did not receive. In addition, the notification Seattle University sent to your home address provides steps you can take to protect yourself.

Does this mean I am the victim of identity theft?

Not necessarily. Seattle University is not aware of any reports of identity theft or other fraud resulting from this incident. Seattle University recommends that you remain vigilant regarding the possibility of fraud and identity theft by reviewing your account statements and credit reports for any unauthorized activity. Additionally, Seattle University encourages you to sign up for the free credit monitoring services described in the letter sent to you to help identify fraudulent activity or misuse of your information. If you notice suspicious activity on your financial account, immediately notify your account officer or your financial institution’s fraud department.  If you determine your personal information is being used fraudulently, we urge you to immediately contact the police and file a police report. Obtain a copy of the police report, as you may need to provide copies of the report to creditors to clear up your records. You may also contact the Federal Trade Commission and the attorney general’s office in your state.

What if I have out-of-pocket expenses related to this issue?

You should review your account statements for any unauthorized activity regularly. In addition, the notification Seattle University sent to you provides additional steps you can take to protect yourself.

How will I know if my information was used by someone else?

Seattle University encourages you to remain vigilant regarding the possibility of fraud and identity theft by reviewing your financial account statements and credit reports for any unauthorized activity. Additionally, Seattle University encourages you to take advantage of the complimentary monitoring services offered to you in the letter sent to your home residence.

How does someone obtain a free copy of his or her credit report?

You may obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting companies. To order your annual free report please visit www.annualcreditreport.com, call toll free at 1-877-322-8228, or directly contact the three nationwide credit reporting companies:

Equifax
PO Box 740241
Atlanta, GA 30374
www.equifax.com
1-800-525-6285

Experian
PO Box 2002
Allen, TX 75013
www.experian.com
1-888-397-3742

TransUnion
PO Box 2000
Chester, PA 19016
www.transunion.com
1-800-680-7289 

I believe I have experienced fraud/identity theft. What do I do?

Seattle University encourages you to sign up for the free credit monitoring services described in the letter sent to you to help identify fraudulent activity or misuse of your information. If you notice suspicious activity on your financial account, immediately notify your financial institution’s fraud department.  If you determine your personal information is being used fraudulently, we urge you to immediately contact the police and file a police report. Obtain a copy of the police report, as you may need to provide copies of the report to creditors to clear up your records. You may also contact the Federal Trade Commission and the attorney general’s office in your state. Contact information for the Federal Trade Commission is as follows:

Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580

1-877-IDTHEFT (438-4338)
www.ftc.gov/idtheft.

Now that the incident is resolved, could I still experience fraud?

Even though all steps have been taken to resolve this incident, Seattle University encourages you to remain vigilant regarding the possibility of fraud and identity theft by reviewing credit report and payment card, bank, and other financial statements for any unauthorized activity. In addition, the notification Seattle University sent to your home address provides additional steps you can take to protect yourself.

Will someone steal my identity?

Seattle University does not have any evidence any individual has experienced identity theft as a result of this incident. However, if you ever believe you have been the victim of identity theft or have reason to believe your information is being misused, Seattle University urges you to immediately contact the police and file a police report. Obtain a copy of the police report as you may need to provide copies of the report to creditors to clear up your records. You may also contact the Federal Trade Commission and the Attorney General’s Office in your state. You may obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting companies. To order your annual free report please visit www.annualcreditreport.com, call toll free at 1-877-322-8228, or directly contact the three nationwide credit reporting companies:

Equifax
PO Box 740241
Atlanta, GA 30374
www.equifax.com
1-800-525-6285

Experian
PO Box 2002
Allen, TX 75013
www.experian.com
1-888-397-3742

TransUnion
PO Box 2000
Chester, PA 19016
www.transunion.com
1-800-680-7289

Should I request a fraud alert from the credit reporting agencies? What is a fraud alert?

That is a choice only you can make. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also could delay your ability to obtain credit.  There are also two types of fraud alerts you can place on your credit report to put your creditors on notice you may be a victim of fraud: an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for at least 90 days. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years. You can place a fraud alert on your credit report by calling the toll-free fraud number of any of the three national credit reporting agencies as follows:

  • Equifax: 1-888-766-0008
    https://www.alerts.equifax.com
  • Experian: 1-888-397-3742
    https://www.experian.com/fraud/center.html
  • TransUnion: 1-800-680-7289
    https://www.transunion.com/fraud-victim-resource/place-fraud-alert

Should I freeze my credit? What is a credit or security freeze?

That is a choice only you can make. You have the right to put a credit freeze, also known as a security freeze, on your credit file, free of charge, so that no new credit can be opened in your name without the use of a PIN that is issued to you when you initiate a freeze. A security freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a security freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a security freeze may delay your ability to obtain credit.

There is no fee to place or lift a security freeze. Unlike a fraud alert, you must separately place a security freeze on your credit file at each credit reporting company. For information and instructions to place a security freeze, contact each of the credit reporting agencies at the addresses below:

  • Equifax Security Freeze: P.O. Box 105788, Atlanta, GA 30348
    https://www.freeze.equifax.com/
  • Experian Security Freeze: P.O. Box 9554, Allen, TX 75013
    https://www.experian.com/freeze/center.html
  • TransUnion Security Freeze: P.O. Box 2000, Chester, PA, 19016
    https://www.transunion.com/credit-freeze/place-credit-freeze

Credit Monitoring Questions

Are you offering credit monitoring?

Seattle University is providing a complimentary one-year membership in Experian® IdentityWorksSM Credit 3B. This product helps detect possible misuse of your personal information and provides you with identity protection services focused on immediate identification and resolution of identity theft.

Seattle University recommends you monitor your personal information and review recommendations at the Federal Trade Commission’s website, www.ftc.gov/idtheft. You can obtain information from the website about steps you can take to avoid identity theft as well as information about fraud alerts and security freezes.

Are you offering credit monitoring for my child?

Yes, if your child’s personal information was affected in this incident. Seattle University mailed letters to all affected individuals, including minors, so your child also should have received a letter in the mail if their information was involved. Seattle University is providing affected minors a complimentary one-year membership in Experian® IdentityWorksSM Minor Plus.  This product provides you with internet surveillance of your minor’s personal information.  In addition, IdentityWorks Minor Plus will tell you if your minor has a credit report, a potential sign that his or her identity has been stolen.

Will enrolling in credit monitoring affect my credit?

No. Enrollment in credit monitoring and identity theft protection services will not affect your credit.

Do I need an activation code/membership number?

Yes. Your activation code is listed in the letter you received, on the page that provides instructions on how to enroll in credit and identity monitoring services.

Can my family member also receive free credit monitoring services?

If your family member was affected, he or she will be sent a letter and offered these services.

My activation code is not working, what do I do?

Seattle University apologizes for the inconvenience this has caused. Seattle University has confirmed that these codes are valid and active. Please contact the customer service number provided on your letter. An agent will be able to assist you with any issues you have with your activation code. They will also be able to enroll you over the phone.

Should I sign up for the credit monitoring services?

That is a choice only you can make. The details of the free services Seattle University is offering are contained in the letter and on the websites listed in the letter.

Is this notification a solicitation to purchase identity theft protection products?

No, the notification you received is not an attempt to get you to purchase any services, -it is only to protect your personal information. Although Seattle University has no indication identity theft or other financial fraud has occurred because of this incident, in an abundance of caution, the university notified you about this situation and is offering a complimentary one-year membership in Experian® IdentityWorksSM Credit 3B. This product helps detect possible misuse of your personal information and provides you with identity protection services focused on immediate identification and resolution of identity theft.

What is the duration of the credit monitoring being offered?

Seattle University is offering one year of complimentary identity and credit monitoring services.

Will I be automatically charged after the complimentary credit and identity monitoring service expires?

No, you will not be charged automatically after your complimentary credit and identity monitoring services expire. You do not need to provide any payment information to enroll in the services.

What happens after the identity protection or credit monitoring expires?

When the service expires, you will have the option to continue service for a nominal monthly fee. You may also continue to monitor your credit by requesting a free copy of your credit report annually directly from each of the three nationwide credit reporting companies. To order your annual free report please visit www.annualcreditreport.com, call toll free at 1-877-322-8228, or directly contact the three nationwide credit reporting companies:

Equifax
PO Box 740241
Atlanta, GA 30374
www.equifax.com
1-800-525-6285

Experian
PO Box 2002
Allen, TX 75013
www.experian.com
1-888-397-3742

TransUnion
PO Box 2000
Chester, PA 19016
www.transunion.com
1-800-680-7289

Miscellaneous Questions

Why is my letter addressed from another state?

To notify you regarding this incident as quickly as possible, Seattle University is working with a mail processing vendor to mail notification letters. The return address on your envelope is the return address for the mail processing vendor.