Statement and Frequently Asked Questions about the 2019 COAERS Data Security Incident
On August 6, 2019, the City of Austin Employees’ Retirement System (COAERS) learned that a COAERS employee’s email account, which was compromised, could have exposed Personally Identifiable Information (PII) of certain COAERS members, as well as some survivor annuitants and beneficiaries. While the incident is still under investigation, COAERS has contained the situation.
We apologize for any inconvenience or distress this might cause anyone and deeply regret that it happened. COAERS works diligently to protect all the information entrusted to us and will continue to do so. To help relieve concerns following this incident, COAERS secured identity and credit monitoring services for potentially affected COAERS members. Further details are included below.
1. What happened?
On August 6, 2019, we learned that a COAERS employee’s email account, which was compromised, could have exposed Personally Identifiable Information (PII) of certain COAERS members, as well as some survivor annuitants and beneficiaries. COAERS immediately began working with outside experts, legal counsel, technology security consultants, and law enforcement to thoroughly investigate the incident. At the onset of the investigation, COAERS did not have evidence of whether PII was either accessed or acquired.
Based on the ongoing investigation, it remains indeterminable whether PII was either accessed or acquired. In the absence of such evidence and after consulting with law enforcement, COAERS began the notification process to ensure the information relayed is accurate and that it would not impede any investigation into the matter. Notification letters including instructions on how to enroll in identity and credit monitoring services were mailed on September 6, 2019.
2. How did it happen?
The cause of the incident is currently under investigation by law enforcement and security consultants. We will continue to update the FAQ as we receive information.
3. What information may have been accessed?
Information that could have been accessed varies by member, but may include full name, address, date of birth, and social security number. COAERS has notified potentially affected members regarding the specific information of theirs that may have been accessed.
4. How do I know if I was affected?
If your information was potentially exposed, you would have received a notification letter from COAERS. Letters were mailed to addresses on file with COAERS on September 6, 2019. Additionally, based on the investigation, the PII of COAERS members whose membership began on or after January 1, 2017, was not in the employee email account and was therefore not potentially accessed or acquired. If you did not receive a notice from COAERS, but wish to verify whether or not you are included, you may call COAERS at 512-458-2551.
5. Why was my PII in the COAERS email account?
COAERS regularly analyzes and reconciles the information contained in member accounts, and this information is transmitted internally to facilitate the analysis. COAERS is reviewing all policies and practices related to the transmittal and storage of member information.
6. Why don’t you know for sure what information was exposed?
Based on the investigation, there is no log indicating whether the records containing PII were accessed. We are acting out of an abundance of caution and providing notice to potentially impacted members.
7. Did this incident impact COAERS financial or custodial accounts?
No. COAERS’ financial and custodial accounts have strict controls and are monitored daily.
8. Will this affect COAERS’ ability to provide my retirement check?
This will not affect COAERS’ ability to issue monthly retirement payments to our members.
9. Should I close my bank account?
No. Bank account information was not included in the potentially compromised data.
10. Should I close my credit card accounts?
No. COAERS does not hold any information about your credit cards.
11. When did COAERS find out that PII may have been accessed?
COAERS learned on August 6, 2019, that members’ PII may have been accessed.
12. If COAERS knew about the issue on August 6, why didn’t you notify people sooner?
COAERS immediately began working with outside experts, legal counsel, technology security consultants and law enforcement to thoroughly investigate the incident. At the onset of the investigation, COAERS did not have evidence of whether PII was accessed or acquired. Based on the ongoing investigation, it remains indeterminable whether PII was either accessed or acquired. In the absence of such evidence and after consulting with law enforcement, COAERS began the notification process to ensure the information relayed is accurate and that it would not impede any investigation into the matter.
13. What are you doing to prevent this from happening again?
COAERS works extremely hard to protect all the information entrusted to us and will continue to do so by taking necessary measures to help prevent an incident from occurring in the future.
14. How is COAERS going to pay for identity protection services for members and beneficiaries who need to use them?
The services will be paid using COAERS’ administrative funds. The expense will have no impact on the benefits we administer for members and their families.
15. Has anyone been adversely affected as a result of this incident?
We have not heard about anyone being adversely affected. We will continue to update the FAQ with the most current information.
16. Is this incident related to the recent ransomware attacks targeting other Texas local governments or other recent cyber-attacks such as Capitol One or Equifax?
At this point, we do not know. The incident is currently under investigation by law enforcement. We will continue to update the FAQ with the most current information.
17. I am a COAERS member, but I didn’t get a letter. What do I need to know?
Based on our investigation, the PII of COAERS members whose membership began on or after January 1, 2017, was not in the employee email account and was therefore not potentially accessed or acquired. If you did not receive a notice from COAERS, but wish to verify whether or not you are included, you may call COAERS at 512-458-2551.
18. I received a different letter than another COAERS member. Why?
COAERS sent customized notifications to potentially affected members based on the type of PII that may have been accessed or acquired.
19. What do I do if my identity is stolen?
While we have not been able to determine whether information was accessed or acquired, out of an abundance of caution, COAERS is providing identity restoration and credit monitoring services through TransUnion to all potentially affected individuals at no cost to them. Starting on September 6, 2019, COAERS mailed detailed letters to potentially impacted members to the address on file with COAERS. The letter includes information about TransUnion services and how to enroll in them. If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report.
20. What can I do to protect my identity after an incident like this?
As a safeguard, COAERS has arranged for potentially impacted members, at no cost to them, in an online three-bureau credit monitoring service (myTrueIdentity) for one year by TransUnion Interactive, a subsidiary of TransUnion®, one of the three nationwide credit reporting companies.
To enroll in this service, follow the instructions on your notification letter. If you do not have your letter, contact COAERS at 512-458-2551.
You can sign up for the online or offline credit monitoring service anytime between now and December 31, 2019.
Due to privacy laws, COAERS cannot register you directly and will not call you to help you enroll.
BE ADVISED, NO ONE FROM COAERS, THE CITY, TRANSUNION, THE CREDIT MONITORING BUREAUS OR ANY OTHER OFFICIAL ENTITY WILL BE CALLING TO ASK YOU QUESTIONS ABOUT THIS SITUATION OR ABOUT YOUR PERSONAL INFORMATION RELATED TO THIS SITUATION. IF YOU RECEIVE A CALL ABOUT THIS SITUATION OR REQUESTING YOUR PERSONAL INFORMATION, DO NOT PROVIDE PERSONAL INFORMATION TO THE CALLER.
Please note that credit monitoring services may not be available for individuals who do not have a credit file with TransUnion®, Experian® and Equifax®, or an address in the United States (or its territories) and a valid Social Security number. Enrolling in this service will not affect your credit score.
Once you enroll, you will be able to obtain unlimited access to your TransUnion credit report and credit score. The daily three-bureau credit monitoring service will notify you if there are any critical changes to your credit files at TransUnion, Experian, and Equifax, including fraud alerts, new inquiries, new accounts, new public records, late payments, change of address and more. The service also includes access to an identity restoration program that provides assistance in the event your identity is compromised to help you restore your identity and up to $1,000,000 in identity theft insurance with no deductible. (Policy limitations and exclusions may apply.)
Whether you choose to enroll or not, COAERS recommends following usual good practices to protect your identity, including regularly reviewing account statements, periodically obtaining copies of credit reports from one or more of the national credit reporting agencies and reporting any suspicious activity to law enforcement.
Fraud Alert Information
Whether or not you enroll in credit monitoring, we recommend that you place a free “Fraud Alert” on your credit file. Fraud Alert messages notify potential credit grantors to verify your identification before extending credit in your name in case someone is using your information without your consent. A Fraud Alert can make it more difficult for someone to get credit in your name; however, please be aware that it also may delay your ability to obtain credit. Call only one of the following three nationwide credit-reporting companies to place your Fraud Alert: TransUnion, Equifax, or Experian. As soon as the credit reporting company confirms your Fraud Alert, they will also forward your alert request to the other two nationwide credit-reporting companies so you do not need to contact each of them separately. The contact information for the three nationwide credit-reporting companies is:
Equifax PO Box 740256 Atlanta, GA 30374 www.alerts.equifax.com 1-800-525-6285
TransUnion PO Box 2000 Chester, PA 19016 www.transunion.com/fraud 1-800-680-7289
Experian PO Box 9554 Allen, TX 75013 www.experian.com/fraud 1-888-397-3742
Free Credit Report Information
Under federal law, you are also entitled to one free credit report once every 12 months from each of the above three major nationwide credit-reporting companies. Call 1-877-322-8228 or make a request online at www.annualcreditreport.com.
Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Get a copy of the report; many creditors want the information it contains to absolve you of the fraudulent debts. You also should file a complaint with the Federal Trade Commission (FTC) at www.identitytheft.gov or at 1-877-ID-THEFT (1-877-438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. Also, visit the FTC’s website at www.ftc.gov/idtheft to review their free identity theft resources such as their comprehensive step-by-step guide “Identity Theft - A Recovery Plan”.
Security Freeze Information
You can request a free Security Freeze (aka “Credit Freeze”) on your credit file by contacting each of the three nationwide credit-reporting companies via the channels outlined below. When a credit freeze is added to your credit report, third parties, such as credit lenders or other companies, whose use is not exempt under law will not be able to access your credit report without your consent. A credit freeze can make it more difficult for someone to get credit in your name; however, please be aware that it also may delay your ability to obtain credit.
Equifax Security Freeze PO Box 105788 Atlanta, GA 30348 www.freeze.equifax.com 1-800-685-1111
TransUnion Security Freeze PO Box 2000 Chester, PA 19016 www.transunion.com/freeze 1-888-909-8872
Experian Security Freeze PO Box 9554 Allen, TX 75013 www.experian.com/freeze 1-888-397-3742
Special note for minors affected by this incident: The same services referred to above may not be available to affected minors. As an alternative, parents/legal guardians can check to see if your child may be a victim of identity theft by using TransUnion's secure online form at www.transunion.com/childidentitytheft to submit your information so TransUnion can check their database for a credit file with your child's Social Security Number. After TransUnion's search is complete, they will respond to you at the email address you provide. If they locate a file in your child's name, they will ask you for additional information in order to proceed with steps to protect your child from any impact associated with this fraudulent activity.
We regret that this incident has occurred. Please be assured that COAERS works extremely hard to protect all of the information entrusted to us and will continue to do so. We trust that the services we are offering to you demonstrate our continued commitment to your security and satisfaction.