CHICAGO, July 27, 2020 /PRNewswire/ — Front Rush, LLC (“Front Rush”) is providing notice of a recent incident involving personal information. To date, Front Rush has not received any reports that personal information has been misused as a result of this incident. Front Rush began sending letters to potentially affected individuals for whom address information was available on July 27, 2020.
Front Rush, LLC (“Front Rush”) provides athletics management software solutions to academic institutions and amateur athletics organizations (“institutions”). These institutions store certain information pertaining to student athletes on Front Rush’s systems due to the institutions’ use of Front Rush’s software solutions.
What Happened? On or around January 5, 2020, Front Rush was informed by a security researcher that one of its Amazon Web Services S3 buckets (“the S3 bucket”) was publicly accessible from the internet. The S3 bucket contained: (a) certain attachments (like transcripts, injury reports, or athletic reports) that were placed in the platform by the institutions; and (b) certain attachments that were uploaded by student-athletes, prospective student-athletes or their parents/guardians, in response to prompts in a recruitment questionnaire formulated and disseminated by the institutions.
Upon learning of this event, Front Rush immediately commenced an investigation, working with third-party forensic investigators, to assess the nature and scope of the incident. The investigation determined that the S3 bucket was publicly accessible between January 18, 2016 and January 8, 2020. Front Rush’s own internal database and systems were not affected by this incident. Front Rush also contacted the security researcher, who stated that he did not save or share any copies of the data. Although Front Rush has no evidence to suggest that the S3 bucket was accessed by anyone other than the security researcher, logs were not sufficient to show whether anyone else had accessed the data. Out of an abundance of caution, Front Rush undertook a comprehensive programmatic and manual review of the entire contents of the S3 bucket to confirm the type of information contained in the S3 bucket and the individuals to whom it related. Front Rush received results of the data mining investigation and began parsing the data to notify impacted institutions. On June 15, 2020, Front Rush notified institutions that data related to individuals affiliated with their institutions was impacted and worked with the institutions to obtain updated address information for individuals. Front Rush began sending letters to impacted individuals for whom address information was available on July 27, 2020.
What Information Was Involved? The personal information present in the S3 bucket at the time of the incident varied by individual but may have included first and last names and one or more of the following data elements: date of birth, Social Security number, Driver’s License Number/State ID Number, student ID number, passport number, other ID number, financial account information, payment card information, mother’s maiden name, birth certificate, username or email address and password, electronic signature, Medicare/Medicaid number, diagnoses, prescriptions, disability information, information, other medical information, health insurance subscriber and group numbers, and other health insurance information.
What is Front Rush Doing? Front Rush takes this incident and the security of your personal information seriously. Upon learning of this incident, Front Rush immediately took steps to reconfigure and secure the S3 bucket to ensure it was no longer publicly accessible, and launched an in-depth investigation to determine the nature and scope of the incident. Front Rush also promptly notified its customer institutions, answered questions posed by the institutions, and updated the institutions when the investigation completed. As part of its ongoing commitment to the privacy of personal information in its care, Front Rush also reviewed its existing policies and procedures to ensure the security of information in its systems. Front Rush will continue working to further secure the information in its systems going forward. Front Rush is also notifying state regulatory authorities, where required. Front Rush also made an offer of credit monitoring to individuals who had a Social Security Number or Driver’s License Number/State ID in the S3 bucket.
What Can Impacted Individuals Do. Front Rush has established a dedicated assistance line for individuals seeking additional information regarding this incident. Individuals may call 855-917-3546 (toll free), Monday – Friday, 9:00 a.m. to 9:00 p.m., Eastern Time (excluding U.S. national holidays). with questions or if they would like additional information. Potentially affected individuals may also consider the information and resources outlined below.
Monitor Your Accounts
Front Rush encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, promptly change any involved account passwords, and to review account statements, and credit reports for suspicious activity. Under U.S. law, individuals with credit reports are entitled to one (1) free credit report annually from each of the three (3) major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three (3) major credit bureaus directly to request a free copy of your credit report.
You have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. Should you wish to place a security freeze, please contact the major consumer reporting agencies listed below:
In order to request a security freeze, you will need to provide the following information:
- Your full name (including middle initial as well as Jr., Sr., II, III, etc.);
- Social Security number;
- Date of birth;
- If you have moved in the past five (5) years, provide the addresses where you lived over the prior five (5) years;
- Proof of current address, such as a current utility bill or telephone bill;
- A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.); and
- If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft.
As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost. An initial fraud alert is a one (1) year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven (7) years. Should you wish to place a fraud alert, please contact any one of the agencies listed below:
You can further educate yourself regarding identity theft, fraud alerts, security freezes, and the steps you can take to protect yourself, by contacting the consumer reporting agencies, the Federal Trade Commission, or your state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General. This notice has not been delayed by law enforcement.
For Maryland residents, the Attorney General may be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-888-743-0023; or www.oag.state.md.us.
For North Carolina residents, the Attorney General may be contacted at: 9001 Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6400; or www.ncdoj.gov.
For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from violators. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf or by writing to Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.
For New York residents, the Attorney General may be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; https://ag.ny.gov.
For Rhode Island residents, the Rhode Island Attorney General may be reached at: 150 South Main Street, Providence, Rhode Island 02903; www.riag.ri.gov; or 1-401-274-4400. Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident. There are approximately 64 Rhode Island residents whose personal information was present in the S3 bucket.
SOURCE Front Rush, LLC