Notice of Data Security Incident:

Muhlenberg College - October 2, 2018 

What Happened? On May 1, 2018, Muhlenberg College (the “College”) was notified of a suspicious IP address accessing certain Workday accounts. We immediately restricted access to Workday and blocked the suspicious IP address. We launched an investigation, which included working with third-party forensic investigators, to determine the full nature and scope of this incident. The investigation determined that an unknown individual had accessed certain College employees’ Workday and email accounts between December 19, 2017 and May 1, 2018. On July 6, 2018, the College confirmed the individuals impacted by this incident and the personal information that may have been accessible. The College has no evidence that any information contained in the email accounts was subject to actual or attempted misuse as a result of this incident.

What Information Was Involved? The investigation in this matter confirmed that some combination of the following types of personal information may have been accessible as a result of the incident: name, date of birth, Social Security number, passport information, medical information, and health insurance information. To date, the College has not received any reports of the misuse of this information.

What is Muhlenberg College Doing? The College takes the security of personal information in our care very seriously. Upon learning of this event, we immediately restricted access to Workday, blocked the suspicious IP address, and launched an investigation. The unauthorized access was shut down on May 2. We promptly notified potentially impacted employees and worked with them to secure their relevant College accounts. We are notifying state regulators as required by law. We are notifying potentially affected individuals and will be offering these individuals access to 12 months of free identity protection services and providing additional information on steps to protect their identity.

The College has security measures in place to protect data in its care and is taking steps to enhance data security protections to protect against similar incidents in the future including implementing increased security measures for account access. We implemented Multi Factor Authentication to prevent unauthorized, off-campus access to accounts without verification by the account owner. We also initiated an annual cyber security and phishing training and awareness program.

What You Can Do? The College established a dedicated hotline for potentially affected individuals to contact with questions or concerns regarding this incident. For additional information, please call 877-440-0642 (toll free), Monday through Friday, 9:00 a.m. to 9:00 p.m., EST. You can also write to us at 2400 Chew Street, Allentown, PA 18104.

Monitor Your Accounts

The College encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity. Under U.S. law you are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.

You have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. Should you wish to place a security freeze, please contact the major consumer reporting agencies listed below:

Experian

TransUnion

Equifax

PO Box 9554
Allen, TX 75013
1-888-397-3742 
 www.experian.com/freeze/center.html 

P.O. Box 2000
Chester, PA 19016
1-800-909-8872 
 www.transunion.com/credit-freeze 

PO Box 105788
Atlanta, GA 30348-5788
1-800-685-1111
 www.equifax.com/personal/credit-report-services


As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the agencies listed below:

Experian

TransUnion

Equifax

PO Box 2002
Allen, TX 75013
1-888-397-3742 
 www.experian.com/fraud/center.html 

P.O. Box 2000
Chester, PA 19016
1-800-680-7289 
 www.transunion.com/fraud-victim-resource/place-fraud-alert 

PO Box 105069 
Atlanta, GA 30348
1-888-766-0008 
 www.equifax.com/personal/credit-report-services


Although we have no reason to believe that your personal information has been used to file fraudulent tax returns, you can contact the IRS at www.irs.gov/Individuals/Identity-Protection for helpful information and guidance on steps you can take to address a fraudulent tax return filed in your name and what to do if you become the victim of such fraud. You can also visit www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft for more information.

You can further educate yourself regarding identity theft, fraud alerts, security freezes, and the steps you can take to protect yourself, by contacting the consumer reporting agencies, the Federal Trade Commission, or your state Attorney General.

The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement. This notice has not been delayed by law enforcement.


For Maryland residents
, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, 1-888-743-0023, www.oag.state.md.us.


For North Carolina residents
, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001, 1-877-566-7226 or 1-919-716-6400, www.ncdoj.gov.


For New Mexico residents
, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from violator. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.


For Rhode Island Residents:
The Rhode Island Attorney General can be reached at: 150 South Main Street, Providence, Rhode Island 02903, www.riag.ri.gov, 1-401-247-4400. Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident.