Security Incident
The University of Memphis is committed to protecting the security and confidentiality of the information entrusted to us.
Am I Affected?
We began notifying affected individuals on December 4, 2020. Affected individuals received notification at their current email address and mailing address listed in University records.
What happened?
On October 30, 2020, the University received a report of suspicious behavior related to email access and determined that one email account had been accessed without appropriate authorization. Immediate steps were taken on October 30, 2020, to secure the email account access. Law enforcement authorities were notified, and an investigation was launched on November 4, 2020 to determine if any personally identifiable information may have been involved. On November 11, 2020, the investigation determined that some confidential data for certain faculty and staff members were contained in the email account and were accessible by the unauthorized user. The UofM has identified and notified the affected faculty or staff members.
When did it happen?
Access to the email account was available to the unauthorized user between October 23, 2020 and October 30, 2020. We first learned of this on October 30, 2020. On November 11, 2020, the investigation determined that some confidential data for certain faculty and staff members were contained in the email account and were accessible by the unauthorized user.
Why wasn’t I contacted sooner?
The University of Memphis is committed to protecting the security and confidentiality of the information entrusted to us, and we worked hard to notify you as quickly as possible. After we found out about this incident, we promptly took steps to remove the unauthorized access. We notified you as soon as we could once we determined the extent of the data involved.
Why was I notified?
The University is committed to protecting the security and confidentiality of the information entrusted to us, and we knew that affected individuals would want to know about this incident. There are also state and federal laws that require us to send written notification.
What specific information of mine was affected?
The data included individual names, social security numbers, addresses, and telephone numbers. The data were not encrypted. We have no knowledge that your information has been misused in any way.
Why was my information contained in an email?
The information was shared in an attachment for legitimate business purposes; unfortunately, the data was not encrypted. The University took immediate steps to contain and revoke the unauthorized access, and employees have been reminded of policies and procedures designed to protect confidential information. Annual IT Security Awareness Training for employees is on-going and additional technologies are being reviewed to strengthen compliance with data security policies and guidelines.
How many people were involved in the security breach?
There were certain faculty and staff whose information was sent in the email attachment. Each employee whose information was potentially at risk is receiving the formal notification of the incident with steps to protect your identify.
Have those affected people been notified?
Yes. We notified all individuals whose information may have been affected.
Could there potentially be more people affected?
We’ve conducted a thorough investigation and have notified all individuals whose information may have been affected.
Does this mean I am the victim of identity theft?
We have no knowledge that any individual’s information has been misused in any way. However, as a precautionary measure and in order to help detect possible misuse of personal information, we recommend that affected individuals follow the steps included in the letter sent regarding the free membership in credit monitoring and identity theft protection services offered.
A copy of your credit report can be obtained, free of charge, directly from each of the three nationwide credit reporting companies. To order an annual free report please visit www.annualcreditreport.com, call toll free at 1-877-322-8228, or directly contact the three nationwide credit reporting companies:
Equifax PO Box 740241 Atlanta, GA 30374 www.equifax.com 1-800-525-6285 |
Experian PO Box 9554 Allen, TX 75013 www.experian.com 1-888-397-3742 |
TransUnion PO Box 6790 Fullerton, CA 92834 www.transunion.com 1-800-680-7289 |
Are you providing credit monitoring services?
Yes. Even though we currently have no knowledge that any information has been misused in any way, as a precautionary measure and in order to help detect possible misuse of personal information, we are offering a free membership in credit monitoring and identity theft protection services to all affected individuals. For more information about these services and instructions on how to activate the membership, please follow the steps included in the notification letter.
What should I do if my credit is compromised or there is fraudulent activity? Will I be responsible for the charges?
We currently have no knowledge that any information has been misused in any way. However, we urge individuals to sign up for the free credit protection services in order to identify any potentially fraudulent use of personal information.
If you ever believe you have been the victim of identity theft or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. Obtain a copy of the police report as you may need to provide copies of the report to creditors to clear up your records. You may also contact the Federal Trade Commission and the Attorney General’s Office in your state.
What are you doing in the future to protect the security of my information?
We are committed to protecting the security and confidentiality of University data, and we deeply regret any inconvenience this may cause you. We took immediate steps to secure personal information and to make sure it is no longer accessible to the unauthorized user. Additionally, employees have been reminded of policies and procedures designed to protect confidential information. Annual IT Security Awareness Training for employees is on-going and additional technologies are being reviewed to strengthen compliance with data security policies and guidelines.
How will I know if my information was used by someone else?
We currently have no knowledge that any information has been misused in any way. However, we encourage individuals to take advantage of the free credit protection services being offered and to be vigilant to the possibility of fraud and identity theft by reviewing credit reports and credit card, bank, and other financial statements for any unauthorized activity. Enrollment information for the free credit monitoring services is provided in the notification letter.
Was any confidential financial information exposed?
No confidential personal financial information was exposed. However, publicly available salary data, such as that provided on the University web site, was accessible.
How does someone obtain a free copy of his or her credit report?
To obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting companies, please visit www.annualcreditreport.com, call toll free at 1-877-322-8228, or directly contact the three nationwide credit reporting companies:
Equifax PO Box 740241 Atlanta, GA 30374 www.equifax.com 1-800-525-6285 |
Experian PO Box 9554 Allen, TX 75013 www.experian.com 1-888-397-3742 |
TransUnion PO Box 6790 Fullerton, CA 92834 www.transunion.com 1-800-680-7289 |
I lost my activation code to enroll in the credit monitoring services. Who can help me?
Please call the University of Memphis incident response line at 1-855-914-4720.
I never received an activation code to enroll in the credit monitoring services.
The activation code was included in the letters mailed to eligible individuals whose information was affected. If you did not receive a letter, your information was not affected. If you misplaced your letter, please contact the University of Memphis incident response line at 1-855-914-4720.
Will this incident affect my employment?
No, this incident will not affect your employment at the University.
Do you know if my information was accessed?
We currently have no knowledge that any individual’s information has been misused in any way. We are notifying all individuals whose information was present in the email account as a precaution.
Is my information still accessible?
We currently have no knowledge that any individual’s information has been misused in any way. Unauthorized access to the email account was revoked on the same day it was discovered. We are notifying all individuals whose information was present in the email account as a precaution.
Who can I contact for assistance?
The University of Memphis takes this matter very seriously. In order to assist you with any questions you may have regarding this incident, the University has established a center specifically dedicated to answering your questions related to this incident. The University of Memphis incident response line can be reached at 1-855-914-4720.
I’m having trouble signing up for credit monitoring services and/or I have additional questions about the credit monitoring services being offered. Who can help me?
Please contact the University of Memphis incident response line at 1-855-914-4720.
Why was my letter sent from an address in Oregon?
In order to notify employees regarding this incident as quickly as possible, the University is working with a mail processing vendor to mail your notification letter. The return address on your envelope is the return address for the mail processing vendor based in Oregon.
I use another product to protect my identity. Will the University reimburse me?
Out of an abundance of caution, the University is offering individuals free membership of credit monitoring and identity theft protection services through TransUnion, as described in the notification letter. The University is not providing any other identity protection services nor compensating individuals for any other identity theft protection services purchased. We sincerely regret any inconvenience this incident may cause.