Information About Recent Cyber Attack and Data Breach

Michigan Catholic Conference was recently informed by its Information Technology consultant that a criminal data hack occurred against the MCC Wage Entry System. This attack likely breached sensitive personal information that employers use for wage reporting and other human resource information with MCC, including social security numbers, dates of birth and addresses.

This is a very worrisome situation for all involved, especially employees that were potentially impacted. It is important to note that not every person employed by a Catholic entity was impacted by this data breach. The surest way to know if you yourself were impacted is if you receive a letter directly from MCC at your home. Letters were mailed from MCC in Lansing on Wednesday, August 26. Your diocesan finance office may also have a list of those units in the diocese that were impacted.

MCC has contracted with Experian to provide those potentially impacted with one-year of free credit monitoring and identity theft protection. Employees who receive a letter from MCC must enroll in this service by November 30, 2015. MCC has also established a dedicated line with Epic Systems, an international data security firm, to help potentially impacted employees better understand cyber-attacks and data breaches.

If you receive a letter from MCC regarding the data breach we recommend you contact Experian (either over the phone or online) to set up your one-year complementary credit monitoring service using both the Engagement Number and Activation Code found in the upper right hand corner of the MCC letter. Again, your service must be activated by November 30, 2015. You may also contact Epiq Systems if you have further questions about identity theft and data breaches. As always, MCC Employee Benefits department may be contacted at 800-395-5565.

Contact Information for Potentially Impacted Employees

Frequently Asked Questions About Data Breach

How do I know if my information was stolen by a hacker?

If you received a letter from Michigan Catholic Conference about this matter it is likely your employer was among those units impacted by the cyber-attack. While MCC cannot say for sure if the personal data was taken, our Information Technology security consultant believes it is likely that the data was compromised.

How do I know if my personal information is being used fraudulently? What can I do?

Michigan Catholic Conference has contracted with Experian, one of the leading national experts in credit monitoring and identity theft protection, to provide you with one year of credit monitoring at no cost to you. It is highly recommended that you contact Experian as soon as possible to begin your credit monitoring services. They can be reached at 877- 371-7902 or www.protectmyid.com/redeem using the Engagement Number and Activation Code found in the upper right hand corner of the MCC letter.

Does every person who works for the Church in Michigan receive the free Experian credit monitoring service?

No, only those who were potentially impacted by the data breech and notified directly via an MCC letter sent through the U.S. postal service are eligible to receive the Experian credit monitoring and identity theft protection service.

How did MCC respond to this attack?

As soon as a suspicious file was detected hiding deeply on the MCC website it was deleted and the server that hosts the site locked down external access. MCC IT staff contacted its Information Technology consultant and within a few days the company reported its findings to MCC. Immediately upon learning of the data breach the website that exchanges human resource data with your employer was taken down and all personal identifiers were removed.

Why was personal information such as my Social Security Number just sitting out there on the Internet?

Michigan Catholic Conference has established with your employer a password-protected, encrypted webpage that allows human resource information to be transmitted. The data was not only encrypted and password-protected, it also sits behind a firewall system that is considered among the best in the industry. Personal data is necessary to ensure information is accurately attributed to each employee. The cyber-attack that impacted the Michigan Catholic Conference web server was sophisticated and able to gather information in a highly discreet manner.

How do I know my personal information is safe with MCC going forward?

All personal data has been removed from the human resource transmission site. Social security numbers and dates of birth are being replaced with a different identifier. All employers that access the benefits site will be given a new user name and password. There will be heightened scrutiny of the MCC server that hosts the website where human resource information is transmitted.

How and why could something like this happen to Catholic parishes and schools?

Cyber-attacks and hackers have become more common in recent years and have been able to penetrate the most secure systems in the country. National entities that have had their servers attacked and data breached recently include Home Depot, Target, TJ Maxx, UPS, the State of New York, Staples and, just last month, the United States Office of Personal Management. Many of these attacks come from out of the country, where hackers are able to disguise their Internet Address in a manner that provides them with almost virtual anonymity.

How many people were impacted by this data breach?

Not every employee that works for a Catholic entity in the state was impacted by this breach. However, there were over 10,000 employees who were potentially impacted. The best way of knowing if you yourself were impacted is if you receive a letter from Michigan Catholic Conference. If you receive a letter then your personal information was likely breached.

Were clergy affected?

No. MCC does not collect this information for clergy.

Were retirees impacted by this data breach?

Yes, 2014 and 2015 retirees whose human resource data was present on the Wage Entry System while they were still employed may be impacted. Similarly, retirees who are also active part-time employees are potentially impacted if their data was submitted to the MCC by the employer through the Wage Entry System. The surest way to know if you, as a retiree, were impacted by the data breach is if you receive a letter at your home from Michigan Catholic Conference. No banking information for any employee was breached.

Were there any minors affected by this cyber-attack?

Yes, approximately 60 of the data records breached were employees under the age of 18. MCC has sent a second letter to the parents/legal guardian of the minor employees. Because of their age, Experian is offering to the family of the minor one year of its FamilySecure credit monitoring and identity theft protection service. The parent or guardian of the minor must enroll in this service by December 31, 2015. Enrollment can take place at www.familysecure.com/enroll using the Activation Code in the upper corner of the second MCC letter. Those wishing to contact Experian over the phone can do so at 888-276-0529 using the Engagement Number also in the upper corner of the second MCC letter. Both the Activation Code and Engagement Number replace those listed in the first MCC letter dated August 25.

Was any employee dependent personal information stolen?

No. The MCC website that was hacked exchanges information only with the employer about the employee.

Was any of my personal data that was stolen used for fraudulent purposes? Should I check with my bank or credit card company?

There were no bank account numbers, credit card information or other personal banking information in the MCC system. According to our IT consultant, there is a likelihood that the data that was present, such as social security number, date of birth and address, was breached. However, MCC has no way of knowing if those personal identifiers have been or will be used by data hackers.

How does this data breach impact people who have already experienced a breach with, for example, a major retailer or another entity that announced a cyber-attack?

With the increased number of businesses, organizations and government agencies that are experiencing data breaches more and more people are being impacted, sometimes for a second or even a third time. Michigan Catholic Conference has established a dedicated telephone line with Epiq Systems for potentially impacted employees to ask this or any other specific question about data breaches and identity theft. Epiq Systems is an international data security firm and is ready to help employees with any questions they may have. Epiq can be contacted at 877-341-4607.