Attachment 18B
February 23, 2012 Dear Current and Former CCSF Students and Employees, This letter is sent to you per California State Civil Code 1798.82 and 1798.29 relative to personal information privacy and serves as notification in accordance with the said code. On Monday, November 29, 2011 City College of San Francisco’s (CCSF) Information Technology Department discovered several malicious viruses on a server and computers in a computer class room in Cloud Hall. At least one of the malicious viruses is capable of taking screen shots from a computer monitor and capable of logging keyboard key strokes was found on a computer. The College took immediate steps to remove the server from service and with help from an outside network security company, began to evaluate the pervasiveness of the viruses’ propagation. It was also discovered that the viruses had spread to the College’s instructional and administrative networks infecting many of the servers and computers on the College network. Evaluation of the viruses found that personally identifiable information may have been taken and transmitted to various entities external to the College. It was also indicated that the some of the viruses had been resident on servers and computers for up to ten years. While these malicious viruses were found on the College networks, it appears that none of the District’s databases were compromised as of the time of this writing. The personal data that may have been taken is believed to be only data which may have been captured when an individual used a CCSF computer for financial and other personal transactions. The Federal Bureau of Investigation (FBI) was notified. On January 27, 2012 the FBI’s Cyber Crime Unit subsequently notified the College that there is currently an ongoing criminal investigation relative to viruses based on a criminal case in US District Court. The FBI investigation spans over 4.2 million computers and 32,000 networks worldwide. The CCSF networks are included in them. The FBI informs us that the malicious software directs infected computers to DNS servers throughout the United States used to collect personal identifiable information. Technicians within the CCSF Technology Department are working on cleaning all infected servers and computers. They are also putting in place new security processes in an effort to contain the current and block future attacks. While we have no indication that anyone actually used any of this information, I want to bring this situation to your attention so that you are aware of the actions you can take to minimize any potential risk of identity theft. As a precaution, you may wish to consider placing a fraud alert on your consumer credit file. By doing so, you let creditors know to watch for unusual or suspicious activity, such as someone attempting to open a new credit card account in your name. This procedure is described on a separate attachment included with this letter. Information also is available on a website we have established: http://www.ccsf.edu/securityalert. The web site includes further suggestions for monitoring your credit and links to state and federal resources. Finally, we have established a number to help answer any additional questions you may have at 415-XXX-XXXX. We have a responsibility to safeguard personal information, and all members of the College's workforce take this obligation very seriously. We have worked hard during the past few years to reduce the amount of personal information used for any academic or business reasons to the absolute minimum and we will continue to do so. I deeply regret any concern or inconvenience this incident may cause you. Sincerely,
Dr. Don Q. Griffin Chancellor
Extensive information on steps to protect against personal identity theft and fraud are on the website of the California Office of Privacy Protection, a division of the state Department of Consumer Affairs, http: //www.privacy.ca.gov. You may wish to consider taking one or more of the following precautionary measures in order to protect yourself against identity theft: Carefully check any credit card and other financial account information you receive. If you detect any unauthorized or suspicious activity in any of these accounts, contact the credit card company or other account issuer immediately. Obtain a free credit report at https://www.annualcreditreport.com/cra/index.jsp. Place a fraud alert on your credit file. A fraud alert notifies creditors to contact you before opening new accounts in your name. It is a free service which is available by contacting one or more of the credit bureaus listed below. You need only contact one of these agencies, which will automatically forward the fraud alert to the other two. Equifax (888) 766-0008 Consumer Fraud Division P.O. Box 740256 Atlanta, GA 30374 www.equifax.com
Experian (888) 397-3742 Credit Fraud Center P.O. Box 1017 Allen, TX 75013 www.experian.com
TransUnion (800) 680-7289 Fraud Victim Assistance P.O. Box 6790 Fullerton, CA 92834
Soon after you place a fraud alert, you will receive credit reports by mail from all three credit reporting agencies. In the credit report: Check your personal information, including home address, Social Security number, etc., for accuracy. Look for any charges you didn't make. Watch for any accounts you didn't open. Note any inquiries from creditors that you didn't initiate. The following websites and telephone numbers provide useful information on consumer fraud and identity theft: Social Security Administration fraud line: 1-800-269-0271 California Attorney General’s Office/Identity Theft: http://caag.state.ca.us/idtheft/tips.htm California Department of Consumer Affairs, Office of Privacy Protection: http://www.privacy.ca.gov/cover/identitytheft.htm Federal Trade Commission's Website on identity theft: http://www.consumer.gov/idtheft/ Please be aware that City College of San Francisco will not contact you regarding the contents of this letter unless you request additional information by email or telephone. We encourage you not to release personal information in response to anyone who may contact you and claim to be affiliated with City College.
ID Fraud Frequently Asked Questions and Answers How was the notice sent? City College sent the notice via US Mail to all students and employees.
I was contacted. What do I do? The fact that you received notification does not mean your identity has been stolen. However, be alert for signs of identity fraud. The Federal Trade Commission recommends, among other actions, contacting the fraud department of any of the three main credit bureaus – Equifax, Experian, or Trans Union and requesting a “fraud alert” to be placed on your credit report. If someone applies for credit in your name, the fraud alert will inform the credit issuer that there may be fraud associated with your name. Be sure to mention that you received a notification of confidential information exposure. What are the signs of identify theft or fraud? Following are some signs indicating possible fraud or identity theft: One of your creditors informs you that it has received an application for credit with your name and social security number You receive statements with your name and address for services you never requested including credit card, utility, and telephone Some or all of your credit card statements are missing, or you notice that not all your mail is being delivered to you You have unusual activity or purchases on your credit card statement You are contacted by a collection agency for defaulted accounts with your identity, but you never opened those accounts How do I contact Equifax, Experian, or Trans Union? Following is contact information for the fraud divisions of the three main credit bureaus: Equifax (888) 766-0008 Consumer Fraud Division P.O. Box 740256 Atlanta, GA 30374 www.equifax.com
Experian (888) 397-3742 Credit Fraud Center P.O. Box 1017 Allen, TX 75013 www.experian.com
TransUnion (800) 680-7289 Fraud Victim Assistance P.O. Box 6790 Fullerton, CA 92834
How long is the fraud alert? A fraud alert lasts 90 days. If you are a victim of ID theft, you may apply for a fraud alert that lasts 7 years, but you must provide a theft report, which is a copy of a report filed with a local, state, or federal law enforcement agency concerning the identity theft. How much does it cost to have the fraud alert? Both the initial and extended fraud alerts are free of charge. In addition, you will also be eligible to get a free credit report. For more information, please consult the Federal Trade Commission website.
How do I know if my confidential information was used by someone else? Get a credit report from any of the three main credit bureaus – Equifax, Experian, or Trans Union. Alternatively, you can also obtain a free credit report at www.annualcreditreport.com. If the report contains accounts that you did not open, it is possible your confidential information was used without your permission. Also check the addresses listed in the personal information section. If you have not lived at one or more of the addresses, it is possible your confidential information was used without your permission. Do I have to pay for a credit report? Contact the three main credit bureaus and advise them that you have received a notification that your confidential personal information has been exposed. They should provide a credit report free of charge. You may also request a Fraud Alert which also entitles you to free credit reports. My credit report has indications of fraud. What do I do? If you suspect you are the victim of ID fraud, the Federal Trade Commission recommends you do the following:
Contact the fraud department of one of the three major credit bureaus. Close any accounts you suspect have been tampered with. File a police report. File a complaint with the Federal Trade Commission. Call (877) ID-THEFT or (877) 438-4338. Please visit the FTC website for more information. The website is www.consumer.gov/idtheft.
Do I have to call all three bureaus? In general, you should not have to call all three bureaus. However, confirm with the bureau you contact first that it will contact the other two. How long will it take to get my credit report? It can take up to 20 days from the day you place the initial call. It takes up to 10 days to receive a fraud alert confirmation letter from the credit bureau(s). That letter contains instructions on ordering a credit report. Once you order the credit report, it can take up to 10 days for you to receive a copy. Will the fraud alert stop me from using my credit cards or applying for credit? No. The fraud alert will not stop you from using your existing credit cards. The fraud alert is designed to help protect against identity theft and could slow down the process when you are applying for credit. Creditors will see a fraud alert, which will prompt them to be more suspicious and re-verify the identity of the person applying for credit. Should I change my Social Security Number (SSN)? The Social Security Administration rarely changes SSN’s. There are drawbacks to changing your SSN. For example, there will be no history associated with the new SSN which could make transactions such as obtaining credit difficult.
I received mail/phone call/email from someone claiming to be a representative of CCSF. Is this legitimate? A notification with information on precautionary measures and resources was sent to those affected. CCSF will not contact you regarding the notification letter. We recommend that you do not release any personal information in response to any contact you did not initiate. Additional Resources: Annual Credit Report: https://www.annualcreditreport.com/ Federal Trade Commission ID Theft: www.consumer.gov/idtheft Social Security ID Theft: www.ssa.gov/pubs/idtheft.htm ID Theft Resource Center: www.idtheftcenter.org Privacy Rights Clearing House Identity Theft Resources: www.privacyrights.org/identity.htm Fight Identity Theft: www.fightidentitytheft.com California Office of Privacy Protection: www.privacy.ca.gov California Office of Attorney General ID Theft Registry: http://caag.state.ca.us/idtheft/index.htm