Skip to content

Resources

Sample Breach Notification Letters

loader-image

Academy Mortgage Data Breach Sample Notification Letter (downloadable PDF)

Academy Mortgage Corporation
c/o Cyberscout
PO Box 1286
Dearborn, MI 48120-9998
Via First-Class Mail

December 20, 2023

Notice of Data Security Incident

Dear ,

You are receiving this letter because you are a current or former employee of Academy Mortgage Corporation (Academy). We are writing to inform you of an incident that may have exposed your personal information. We take the privacy of your personal information seriously and want to provide you with information and resources you can use to protect information.

What Happened and What Information was Involved:

On March 21, 2023, we detected and stopped a network security incident, in which an unauthorized third party accessed and disabled some of our systems. We immediately engaged third-party forensic specialists to assist us with securing the network environment and investigating the extent of any unauthorized activity. Our investigation, which concluded November 28, 2023, determined an unauthorized third party may have accessed certain individual personal information during this incident.

We found no evidence that your information has been specifically misused; however, it is possible that the following personal information could have been accessed by an unauthorized third party: first and last name, date of birth, and Social Security number. This information was maintained on our system for standard payroll and organizational purposes.

To date, we have not received information of a specific misuse of personal information.

What We Are Doing:

Data security is one of our highest priorities. Upon detecting this incident we moved quickly to initiate a response, which included conducting an investigation with the assistance of IT specialists and confirming the security of our network environment. We also notified law enforcement. We have wiped and rebuilt affected systems and have taken steps to bolster our network security. We are also reviewing and altering our policies, procedures, and network security software relating to the security of our systems.

We are offering Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge. These services provide you with alerts for twelve months from the date of enrollment when changes occur to your credit file. This notification is sent to you the same day that the change or update takes place with the bureau. Finally, we are providing you with proactive fraud assistance to help with any questions that you might have or in event that you become a victim of fraud. These services will be provided by Cyberscout through Identity Force, a TransUnion company specializing in fraud assistance and remediation services.

What You Can Do:

To enroll in Credit Monitoring services at no charge, please log on to https://secure.identityforce.com/benefit/academy and follow the instructions provided. When prompted please provide the following unique code to receive services: UYJHYTQ4SE. Please note you must enroll within 90 days of the date of this letter.

Enclosed you will find additional information regarding the resources available to you, and the steps that you can take to further protect your personal information.

For More Information:

We recognize that you may have questions not addressed in this letter. If you have additional questions, please call 1-833-519-0431, Monday through Friday, 8:00 am to 8:00 pm EST. We encourage you to take full advantage of this service offering. Representatives have been fully versed on the incident and can answer questions or concerns you may have regarding protection of your personal information.

We value the security of the personal data that we maintain, and understand the frustration, concern, and inconvenience that this incident may have caused.

Sincerely,

Academy Mortgage Corporation

Additional Information

Credit Reports: You may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account. You may obtain a free copy of your credit report from each of the three nationwide credit reporting agencies. To order your free credit report, please visit www.annualcreditreport.com, or call toll-free at 1-877-322-8228. You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available at https://www.consumer.ftc.gov/articles/0155-free-credit-reports) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281.

Security Freeze: You also have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans, and services from being approved in your name without your consent. To place a security freeze on your credit report, you need to make a request to each consumer reporting agency. You may make that request by certified mail, overnight mail, regular stamped mail, or by following the instructions found at the websites listed below. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse or a minor under the age of 16, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. As of September 21, 2018, it is free to place, lift, or remove a security freeze. You may also place a security freeze for children under the age of 16. You may obtain a free security freeze by contacting any one or more of the following national consumer reporting agencies:

Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
1-800-349-9960
https://www.equifax.com/personal/credit-report-services/credit-freeze/

Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
1-888-397-3742
www.experian.com/freeze/center.html

TransUnion Security Freeze
P.O. Box 160
Woodlyn, PA 19094
1-800-909-8872
www.transunion.com/credit-freeze

Fraud Alerts: You can place fraud alerts with the three credit bureaus by phone and online with:
Equifax (https://assets.equifax.com/assets/personal/Fraud_Alert_Request_Form.pdf);
TransUnion (https://www.transunion.com/fraud-alerts); or
Experian (https://www.experian.com/fraud/center.html).

A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. As of September 21, 2018, initial fraud alerts last for one year. Victims of identity theft can also get an extended fraud alert for seven years. The phone numbers for all three credit bureaus are at listed above.

Monitoring: You should always remain vigilant and monitor your accounts for suspicious or unusual activity.

File Police Report: You have the right to file or obtain a police report if you experience identity fraud. Please note that in order to file a crime report or incident report with law enforcement for identity theft, you will likely need to provide proof that you have been a victim. A police report is often required to dispute fraudulent items. You can generally report suspected incidents of identity theft to local law enforcement or to the Attorney General.

FTC and Attorneys General: You can further educate yourself regarding identity theft, fraud alerts, security freezes, and the steps you can take to protect yourself, by contacting the consumer reporting agencies, the Federal Trade Commission, or your state Attorney General.

The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338), TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement. This notice has not been delayed by law enforcement.

For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, 1-888-743-0023, and www.oag.state.md.us.

For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit prescreened offers of credit and insurance you get based on information in your credit report; and you may seek damages from violators. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.

For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001, 1-877-566-7226 or 1-919-716-6400, and www.ncdoj.gov.

For New York residents, the Attorney General may be contacted at Office of the Attorney General, The Capitol, Albany, NY 12224-0341, 1-800-771-7755, and https://ag.ny.gov/.

For Rhode Island residents, the Rhode Island Attorney General can be reached at 150 South Main Street, Providence, Rhode Island 02903, www.riag.ri.gov, and 1-401-274-4400. Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident.

Ashford Data Breach Sample Notification Letter (downloadable PDF)

Enrollment Code: <>

P.O. Box 989728 To Enroll, Scan the QR Code Below: West Sacramento, CA 95798-9728

<> <> <> <> <>, <> <> Or Visit: https://app.idx.us/account-creation/protect

January 19, 2024

RE: NOTICE OF <>

Dear <> <>:

Ashford, Inc. and its subsidiary, <> (collectively, “Ashford”) are contacting you to notify you of an incident suffered by Ashford, Inc. that affects some of your personal information. We take the security of information in our care seriously, and are providing you with this notice to make you aware of the incident, the steps we are taking in response, and steps you may take to help protect your personal information, should you feel it is appropriate to do so.

What Happened? On September 20, 2023, Ashford became aware of suspicious activity on our computer network. Following this, we immediately commenced an investigation with the assistance of computer forensic specialists to secure our systems and determine the nature and scope of the incident. Our investigation determined that an unknown and unauthorized actor accessed certain systems in our environment on September 7, 2023, and accessed and acquired certain files stored on these systems during this time. Ashford then undertook a detailed and time-consuming review of the files to determine what data was contained within the files and to whom that data relates. On or about November 8, 2023, this review concluded, and we determined that information related to you was present within the affected files. Since then, we have worked to locate necessary address information in order to provide an accurate notice. We have no evidence of any fraudulent misuse of your information in connection with this incident.

What Information Was Involved? The following types of your information were present in the affected files: your name and <>. To date, we are unaware of any actual misuse of this information as a result of the event. If information of your dependent(s) was impacted, we are sending you a separate letter for each dependent.

What We Are Doing. Upon discovering this incident, we took immediate steps to further secure our environment and conducted a thorough investigation of the incident. We have also implemented additional safeguards to increase our security posture. We have notified federal law enforcement and other regulators as required. As an added precaution, we are offering you complimentary access to 24 months of credit monitoring services, through IDX, a ZeroFox company. You will need to enroll yourself in these services if you wish to do so, as we are not able to activate them on your behalf. Please review the instructions contained in the attached Steps You Can Take to Protect Personal Information for additional detail on these services.

What You Can Do. Ashford encourages you to remain vigilant against incidents of identity theft and fraud, to review your account statements and monitor free credit reports for suspicious activity and to detect errors. We also encourage you to review the enclosed Steps You Can Take to Protect Personal Information and enroll in the credit monitoring services we are offering. In addition, we encourage you to promptly report any suspected incidents of identity theft to local law enforcement, the Federal Trade Commission, and/or your state Attorney General.

ESO Solutions Data Breach Sample Notification Letter (downloadable PDF)

<<Date>> (Format: Month Day, Year)
<<first_name>> <<middle_name>> <<last_name>> <<suffix>>
<<address_1>>
<<address_2>>
<<city>>, <<state_province>> <<postal_code>>
<<country>>

Notice of Data Incident

Dear <<first_name>> <<middle_name>> <<last_name>> <<suffix>>:

ESO Solutions, Inc. (“ESO”) provides software services that help hospitals and healthcare systems improve operations, quality, and patient outcomes. For this reason, we are likely to have your information from when a healthcare organization provided injury or emergency care to you in the past. We are writing to inform you of an incident that may have exposed your protected health information. We take the security of your information seriously and want to provide you with information you can use to help protect yourself.

What Happened
On September 28, 2023, we detected and stopped a sophisticated ransomware incident, in which an unauthorized third party accessed and encrypted some of ESO’s computer systems. We immediately took the affected systems offline, secured our network environment, and engaged third-party forensic specialists to assist us with investigating the extent of any unauthorized activity.

Our investigation determined that the unauthorized third party may have acquired your personal data during this incident. Please know that we have taken all reasonable steps to prevent your data from being further published or distributed, have notified and are working with federal law enforcement to investigate.

On October 23, 2023, we determined that your personal and patient information was located on one of the impacted systems. While we have found no evidence that your information has been misused, we are notifying you of this incident and offering you the resources provided in this letter, in an abundance of caution and so that you can take precautionary steps to help protect yourself, should you wish to do so. ESO recommends that you proceed with caution, and take advantage of the resources provided in this letter.

What Information Was Involved
At present there is no evidence that any of your personal information has been misused; however, the impacted data may have contained your personal information, including your name, social security number, phone number, address, and medical treatment information. Additionally, it is possible that the following protected health information fields could have been accessed: patient account and/or medical record number, injury and diagnosis information, procedure type (if applicable), insurance and payer information, and other items found in your registry file. At this time, we do not have evidence that your information has been misused.

What We Are Doing
Data security is one of our highest priorities. Upon discovery of the incident, we immediately secured our networks, implemented measures to confirm the security of our systems, safely restored our systems and operations via viable backups, initiated an investigation of the incident with the assistance of forensic experts, and notified the FBI (Federal Bureau of Investigation).

We value the safety of your personal information and want to make sure you have the information you need so that you can take steps to further protect yourself, should you feel it appropriate to do so. We encourage you to remain vigilant and to regularly review and monitor relevant account statements and credit reports and report suspected incidents of identity theft to local law enforcement, your state’s Attorney General, or the Federal Trade Commission (the “FTC”). We have included more information on these steps below.
In addition, we are providing you with access to 12 months of identity monitoring through Kroll at no charge to you.

What You Can Do
To help relieve concerns following this incident, we have secured the services of Kroll to provide identity monitoring at no cost to you for 12 months. Kroll is a global leader in risk mitigation and response, and their team has extensive experience helping people who have sustained an unintentional exposure of confidential data. Your identity monitoring services include Credit Monitoring, Fraud Consultation, and Identity Theft Restoration

Visit https://enroll.krollmonitoring.com to activate and take advantage of your identity monitoring services.

You have until <<b2b_text_6 (activation date)>> to activate your identity monitoring services.
Membership Number: <<Membership Number s_n>>

For more information about Kroll and your Identity Monitoring services, you can visit info.krollmonitoring.com.

Additional Steps
In addition to activating the complimentary identity monitoring services being offered, we encourage you to review the enclosed Additional Important Information for additional guidance on how to help protect against identify theft and fraud.

For More Information
On behalf of ESO, please accept our sincere apology for this incident and any inconvenience it may cause you. We value the security of the protected health information and personal information that we maintain, and understand the frustration, concern, and inconvenience that this incident may have caused. I can assure you that we continue to build on our already substantial investments in cybersecurity to prevent an incident like this from reoccurring and protect you and your information, now and in the future.

Representatives are available to assist you with questions regarding this incident, between the hours of 9:00 a.m. to 6:30 p.m. Eastern Time, Monday through Friday, excluding major U.S. holidays. Please call the help line at (866) 347-8525 with any questions you may have.

Sincerely,

Jonathan Cummings
Chief Information Security Officer
ESO

Xfinity/Comcast Data Breach Sample Notification Letter (downloadable PDF)

Xfinity
Return to IDX
P.O. Box 989728
West Sacramento, CA 95798-9728

<<First Name>> <<Last Name>>
<<Address1>>
<<Address2>>
<<City>>, <<State>> <<Zip>>

Re: Notice of Data Breach

January 26, 2024

Dear <<First Name>> <<Last Name>>:

We are notifying you of a recent security incident involving your personal information. This notice explains the incident, steps Xfinity has taken to address it, and guidance on what you can do to protect your personal information.

What Happened? On October 10, 2023, one of Xfinity’s software providers, Citrix, announced a vulnerability in one of its products used by Xfinity and thousands of other companies worldwide. At the time Citrix made this announcement, it released a patch to fix the vulnerability. Citrix issued additional mitigation guidance on October 23, 2023. We promptly patched and mitigated our systems.

However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of the Citrix vulnerability. We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.

What Information Was Involved? On January 18, 2024, we concluded that the information included your <<name/Social Security number/driver’s license number>>.

What We Are Doing. In addition to taking the steps detailed above, we are offering you complimentary credit monitoring and identity restoration services through IDX, a ZeroFox Company. IDX identity protection services include 24 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed id theft recovery services.

What You Can Do. We recommend you review the “Steps You Can Take To Protect Your Information” section included with this letter, which includes instructions on how to enroll in the credit monitoring services, as well as additional information on how you can further protect your personal information.

More Information. If you have additional questions, please contact IDX, Xfinity’s incident response provider managing credit monitoring enrollment, customer notifications, and call center support, at 1-888-686-5142 toll-free 24 hours a day, seven days a week.

We know that you trust Xfinity to protect your information, and we can’t emphasize enough how seriously we are taking this matter. We remain committed to continue investing in technology, protocols and experts dedicated to helping to protect your data and keeping you, our customer, safe.

Sincerely,

Xfinity


Jump to FAQs page