Data Privacy Event
About the data privacy event
On October 28, 2019, the Allegheny Intermediate Unit (“AIU”) experienced an incident in which malware encrypted certain portions of its network. This notification is meant to supplement our February 7, 2020 notification and is not notice of a new incident. The AIU, with the assistance of third-party forensic specialists, took immediate steps to investigate the nature and scope of the incident. The AIU is issuing this statement to provide additional details regarding what is known about the incident and the further steps it will be taking in response.
Frequently Asked Questions
What happened? On October 28, 2019, we discovered that certain servers within our systems had been infected with malware known as ransomware that prevented us from accessing some of our files. We immediately began working with our in-house information technology department and third-party experts to determine the nature and scope of the incident. We determined that we had backup versions of the most critical information and were able to restore access to the affected files without engaging or paying the unknown intruder. On January 27, 2020 we determined the unauthorized individual who introduced the malware may have had access to servers containing protected personal information.
What information was involved? We have no evidence the unknown actor actually accessed or acquired any personal or protected information stored on AIU servers. However, some of the servers which may have been accessible stored personal information. Our investigation determined that the personal information which was present on the accessible servers included names, mailing addresses, email addresses, Social Security Numbers, and drivers’ license numbers. We have no evidence of actual or attempted misuse of any information on the servers. However, out of an abundance of caution, we are providing this statement regarding the incident as we cannot rule out unauthorized access to personal information at this time.
What is the AIU doing? We take this matter, and the security of information in our possession very seriously. In addition to the ongoing investigation and restoring the integrity of our systems, we are continuing to review our policies and procedures and enhance the security of our information systems to avoid a similar situation in the future. Though we have no evidence of actual or attempted misuse of any personal information, out of an abundance of caution we are providing this notice. We are also providing credit monitoring services to affected individuals.
What can potentially affected individuals do? While we have no evidence that any personal information was subject to unauthorized access, or has been or will be misused, we encourage anyone who thinks their information may have been impacted to monitor financial accounts and notify their bank immediately if they detect unauthorized or unusual activity. We also encourage you to enroll in the free credit monitoring being offered through ID Experts.
For more information. We understand some people may have additional questions concerning this incident. Individuals can direct questions to 1-833-579-1098 during 9am – 9pm Eastern Time, Monday through Friday except U.S. holidays. Those individuals who believe they are impacted may also contact this number to enroll in the complimentary credit monitoring services.
The AIU apologizes for any inconvenience this may cause and remains committed to the privacy and security of all information it maintains.
The AIU encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor credit reports for suspicious activity. Under U.S. law individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report.
Individuals have the right to place a “security freeze” on their credit report, which will prohibit a consumer reporting agency from releasing information in a credit report without express authorization. The security freeze is designed to prevent credit, loans, and services from being approved without consent. However, individuals should be aware that using a security freeze to take control over who gets access to the personal and financial information in a credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application made regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, individuals cannot be charged to place or lift a security freeze on a credit report. Should individuals wish to place a security freeze, please contact the major consumer reporting agencies listed below:
PO Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
PO Box 105788
Atlanta, GA 30348-5788
In order to request a security freeze, individuals will need to provide the following information:
- Full name (including middle initial as well as Jr., Sr., II, III, etc.);
- Social Security number;
- Date of birth;
- If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years;
- Proof of current address, such as a current utility bill or telephone bill;
- A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.);
- If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft.
As an alternative to a security freeze, individuals have the right to place an initial or extended “fraud alert” on their file at no cost. An initial fraud alert is a one-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If individuals are a victim of identity theft, they are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should individuals wish to place a fraud alert, please contact any one of the agencies listed below:
P.O. Box 2002
Allen, TX 75013
P.O. Box 2000
Chester, PA 19106
P.O. Box 105069
Atlanta, GA 30348
The Federal Trade Commission (“FTC”) can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. The FTC also encourages those who discover that their information has been misused to file a complaint. Individuals can obtain further information on how to file such a complaint by way of the contact information listed above. Individuals have the right to file a police report if they ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, individuals will likely need to provide some proof that they have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and the Pennsylvania Attorney General.