Cyber Communications

Dear Tucson Unified Community,

As you are aware, our district joined an ever-growing number of U.S. school districts that have been targeted by cybercriminals when we experienced a sophisticated cybersecurity incident at the end of January. From the earliest moments of this incident, our team committed to providing updates as quickly as possible. In the spirit of full transparency and timely communication, we wanted to ensure that we are doing all that we can to provide you with the latest progress on this incident.

Recently, an external team of experienced cyber security professionals finalized an extensive review of documents and files containing personal information that were potentially accessed and/or acquired. The comprehensive nature of the investigative review of these files required a one by one review of approximately one million individual records over the past several months.

As this process has now concluded, the investigation identified approximately 29,000 people who had personal information potentially accessed and/or acquired. At this time, we are finalizing individual notification letters to those 29,000 potentially impacted people. The letters will list what personal information was identified during the investigation.

As a district, we are intent on continuing to support those whose information was potentially accessed and/or acquired. The individual notification letters provide the best guidance on steps that can be taken to protect against potential fraud. In addition to providing the individual notifications, we have set up a call center to help answer any questions you may have.

Maintaining the privacy and security of the personal information of those connected with TUSD is of the utmost importance to us, and we continually evaluate and modify our practices to enhance its security and privacy. I want to express my appreciation for your patience and support during this unprecedented cyber incident on our community as well as to extend our apologies for the inconvenience, stress, and anxiety the incident may have caused you and your loved ones.

Sincerely,

Dr. Gabriel Trujillo
Superintendent

Frequently Asked Questions

(1) What happened?

As a result of a sophisticated cybersecurity incident, TUSD discovered that an unauthorized actor accessed portions of their network.

Upon learning of this issue, TUSD contained the threat, notified law enforcement and commenced a prompt and thorough investigation with external cybersecurity professionals experienced in handling these types of incidents. After an extensive forensic investigation and manual file review, we discovered on July 21, 2023 that the files that were potentially accessed and/or acquired on or around January 20, 2023 contained some personal information.

(2) I received a letter on the mail with a Sacramento, CA return address, is this letter legitimate? Is it a scam?

Yes, the letter is from Tucson Unified. We can assure that the letter is legitimate, the California address is the mail center’s return address.

TUSD wants to make you aware of the situation and provide you with guidance on how you can protect yourself.

(3) Why does TUSD have my information?

If you received this notification, it is because you are either a current or former student and/or employee of TUSD.

(4) The incident happened in late January - why did it take so long for me to receive notification?

There has been no delay in notification. Upon learning of this issue, TUSD contained the threat, notified law enforcement and commenced a prompt and thorough investigation with external cybersecurity professionals experienced in handling these types of incidents. After an extensive forensic investigation and manual file review, we discovered on July 21, 2023 that the files that were potentially accessed and/or acquired on or around January 20, 2023 contained some personal information. Thereafter, TUSD worked to provide notice to potentially affected individuals as quickly as possible.

(5) I received a notification from TUSD about a security incident. Does this mean someone has misused or will misuse my information?

Not necessarily. At this time, we have not received any reports of misuse of data. Nonetheless, out of an abundance of caution, TUSD wants to make you aware of the incident and let you know that it continues to take significant measures to protect your information.

(6) I received a call or text from TUSD related to this security incident asking for my information. What should I do?

TUSD is not proactively calling, texting or emailing customers to ask for personal information of individuals related to or impacted by this security incident.

If you have provided personal information over the phone or clicked on the links in a fraudulent email, we recommend reviewing the information contained in the notification letter you received that discusses ways in which you can take steps to protect your information.

(7) Who is affected by this incident?

A limited number of individuals who were notified.

(8) What information of mine was involved?

Your notice letter describes what information of yours was involved. Please refer to the “What Information Was Involved” heading in your letter.

(9) As a result of this incident, will I become a victim of identity theft?

(10) Should I close my credit or debit account?

Credit or debit information was not involved in this incident. Nonetheless, TUSD recommends that you should always remain vigilant in reviewing your financial account statements and credit reports for fraudulent or irregular activity on a regular basis.

(11) What is TUSD doing in light of this incident?

Upon learning of this issue, TUSD contained the threat, notified law enforcement and commenced a prompt and thorough investigation with external cybersecurity professionals experienced in handling these types of incidents. After an extensive forensic investigation and manual file review, we discovered on July 21, 2023 that the files that were potentially accessed and/or acquired on or around January 20, 2023 contained some personal information.

(12) How do I know if my information was involved in this incident?

If you did not receive a notice letter and you think you may be impacted, you will need to contact the call center at 888-898-1444 and provide your full name and they will confirm whether your information may have been compromised as a result of this incident.

(13) Does TUSD have any reports of actual misuse of the information as a result of this incident?

At this time, we have not received any reports of misuse of data. Nonetheless, out of an abundance of caution, TUSD wants to make you aware of the incident and let you know that it continues to take significant measures to protect your information.

(14) What can I do to protect myself?

TUSD suggests you consider taking the following steps:

Enroll in the credit monitoring services offered at no cost to you.
You should always remain vigilant in reviewing your financial and credit/debit card account statements for fraudulent or irregular activity on a regular basis.
You may consider placing a fraud alert and/or security freeze on your credit file.
You may order a free credit report.
If applicable to you, you should follow the general practices provided in your notice letter that can help protect you from medical identity theft.

(15) Why did I not receive a notice about this incident?

TUSD provided notice via U.S. Mail to all those potentially impacted. If you did not receive a notice letter and you think you may be impacted, you will need to contact the call center at 888-898-1444 and provide your full name and they will confirm whether your information may have been compromised as a result of this incident.

(16) Is TUSD providing credit monitoring services?

If applicable and included within your notice letter, TUSD is offering credit monitoring through TransUnion.

(17) How do I enroll with the credit monitoring service?

Website and Enrollment. Go to the IDX website and follow the instructions for enrollment using your Enrollment Code provided at the top of the letter.

Activate the credit monitoring provided as part of your IDX identity protection membership. The monitoring included in the membership must be activated to be effective. Note: You must have established credit and access to a computer and the internet to use this service. If you need assistance, IDX will be able to assist you.

(18) Can TUSD just register me in the credit monitoring product?

Unfortunately, TUSD cannot register for you. You must enroll yourself online (or over the phone) using the Activation Code in your notice letter if you received one.

(19) How long do I have to enroll in the credit monitoring product?

You can sign up for this service anytime using the Activation Code listed in your notification letter.

(20) What is a fraud alert?

A fraud alert tells creditors to contact you personally before they open any new accounts.

Frequently Asked Questions

(21) How do I place a fraud alert on my account?

In order to place a fraud alert, you will need to call any one of the three major credit bureaus (as soon as one credit bureau confirms your fraud alert, they will notify the others to place fraud alerts). Alternatively, you may file the Fraud Alert online. Here is a link to the Experian fraud alert home page.

Equifax
P.O. Box 105069
Atlanta, GA 30348
Website
(800) 525-6285

Experian
P.O. Box 9554
Allen, TX 75013
Website
(888) 397-3742

TransUnion LLC
P.O. Box 2000
Chester, PA 19016-2000
Website
(800) 680-7289

(22) How long does a fraud alert last?

An initial fraud alert lasts one year and it is free.

(23) Will a fraud alert stop me from using my credit cards?

No. A fraud alert will not stop you from using your credit cards or other accounts.

(24) Can I still apply for a credit card after I place a fraud alert on my credit report?

Yes, but the verification process may be more cumbersome. Potential creditors will receive a message alerting them to the possibility of fraud and that creditors should re-verify the identity of a person applying for credit.

(25) How do I place a Security Freeze on my credit files and how much does it cost?

If you are very concerned about becoming a victim of fraud or identity theft, you may request a “Security Freeze” be placed on your credit file, at no cost to you. A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by sending a request in writing, by mail, to all three nationwide credit reporting companies. To find out more on how to place a security freeze, you can use the following contact information:

Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
Credit Freeze Info
(800) 349-9960

Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
Credit Freeze Info
(888) 397-3742

TransUnion Security Freeze
P.O. Box 160
Woodlyn, PA 19094
Credit Freeze Info
(800) 916-8800

In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

If your personal information has been used to file a false tax return, to open an account or to attempt to open an account in your name, or to commit fraud or other crimes against you, you may file a police report in the City in which you currently reside.

If you do place a security freeze prior to enrolling in the credit monitoring service as described above, you will need to remove the freeze in order to sign up for the credit monitoring. After you sign up for the credit monitoring service, you may refreeze your credit file.

(26) What should I do if I find suspicious activity on my credit reports or have reason to believe my information is being misused?

Promptly call your local law enforcement agency and file a police report. Get a copy of the police report, as many creditors will want the information it contains to absolve you of fraudulent debts. You may also file a complaint with the FTC online or reach the FTC at 1-877-IDTHEFT (1-877-438-4338) or 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations.

(27) When I called to place a fraud alert, they asked for my Social Security number. Is this ok?

Yes. The credit bureaus will indeed ask for your Social Security number and other personal information to verify your identity and avoid sending any credit report or correspondence to the wrong individual. However, TUSD cautions against you providing any information to any entity or person contacting you directly asking for your personal information.

(28) How do I obtain a free credit report?

Under federal law, you are entitled to one free credit report every 12 months from each of the three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.

(29) I lost my notification. Can you provide a new one to me?

Yes. If you have lost your notification, you will need to contact the call center at 888-898-1444 and verify your information to receive a replacement notification letter.

(30) I have experienced fraud on my card or debit card. What do I do?

Credit or debit information was not involved in this incident. If you see a fraudulent charge on your payment card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. If reported promptly, major credit card companies typically guarantee cardholders will not be responsible for fraudulent charges.

(31) Is this matter related to the recent MoveIT cyber-incident?

No, this is a separate and unrelated incident. We have no information at this time that our District has been impacted by the MoveIT incident.

(32) Do I have any legal recourse?

Unfortunately, TUSD is not in a position to provide any legal advice related to the incident.

(33) Will we receive any additional information or update?

If a further update is warranted, TUSD will provide one accordingly.

(34) The individual this letter is addressed to is deceased. What should I do?

Please provide your name and contact information and a representative will contact you with information you can use to protect the estate.

(35) I have additional questions that cannot be answered. What should I do?

Please provide me with your full name and contact information and we will have a representative contact you within at timely manner during business hours.

(36) I am with ______________________ (Media); can you provide me with further information about the recent data breach?

Thank you for your inquiry. Unfortunately, I’m not the best person to respond to your questions. But if you provide me with your contact information and deadline, I’ll be happy to pass your inquiry along to the appropriate contact and have them get in touch with you. Can you please provide me with your:

Name
Media outlet
Contact information (both phone and email)
Nature of inquiry
Deadline

Thank you so much – I appreciate it. I’ll pass this along now, and we’ll have someone get in touch with you promptly.

IF PRESSED FOR ADDITIONAL INFORMATION: I’m sorry, but I’ve given you all the information I have at this time and will need to have a spokesperson follow up.