This letter is to notify you of the potential compromise of your Personally Identifiable Information (PII). On December 5, 2019 Uniformed Services University (USU) Learning Resource Center (LRC) patron information was discovered to have been accessed and altered by an unauthorized user. USU determined that this was a cyber attack.
Some of the LRC patron data included personally identifiable information (PII) for approximately 20,000 users. The compromised PII includes: first name, last name, middle initial, email address, mailing address, phone number, LRC password, and user ID information. In addition, this included an encrypted copy of the last 4 SSN and birth month and day for 251 users. Not all of this information was actually downloaded by the attacker - only a small subset of it based on the evidence we have - but we are nevertheless notifying everyone who could be impacted by the breach. If your information was compromised, a message was sent to the email address we have on file.
PII was generally collected to uniquely identify and distinguish users in our systems. Most communication was by email, but physical addresses and phone numbers were used as secondary communication tools and also as a means to authenticate a phone or chat caller when providing support. In the case of Education Day registration, encrypted birth months and days and the last 4 SSN digits are required to register participants in the Army and Navy CME/CNE systems.
The incident was immediately reported to USU Cybersecurity, the USU Privacy Office, and DoD authorities, who have been conducting a joint inquiry into the loss and remediation of this information.
The attack method used by the hacker has been remediated and the server has been removed from the internet. LRC resources are accessible only to patrons on the USU internal network connected to our commercial (.edu) network until further notice. These services will remain inaccessible outside of USU until they can be replaced or migrated to existing secured services.
In order to ensure you are protected, you should be guided by the actions recommended by the Federal Trade Commission (FTC) at its website at: https:// www .identitytheft.gov /. Additionally, it is possible that your contact information may be used in spam, phishing, or other types of fraudulent or unwanted communications. The FTC website provides valuable information that can be taken now or in the future if problems should develop.
USU and the Department of Defense takes this loss very seriously and is reviewing its current policies and practices with a view of determining what must be changed to prevent a similar occurrence in the future. USU understands that personally identifiable information must at all times be treated in a manner that preserves and protects the confidentiality of the data.
We deeply regret and apologize for any inconvenience and concern this theft may cause you.
Should you have any questions, please contact the USU Privacy Office at firstname.lastname@example.org or 301-295-1054.
Richard W. Thomas, MD, DDS, FACS