Prism RBS Data Breach FAQ
The UVM Bookstore recently learned that PrismRBS, a vendor that provides our e-commerce website, experienced a security incident in which an unauthorized third party obtained access to and was able to install malicious software designed to capture payment card information on some of the e-commerce servers that host uvmbookstore.uvm.edu/. As it relates to the UVM Bookstore website, a total of 670 individuals were affected and the University has taken steps to notify the individuals affected by this incident.
Isn't this the second time this has happened since January?
Yes. PrismRBS learned on April 26 of a security incident in which an unauthorized third party obtained access to one of its servers and was able to install malicious code. Unfortunately as a result, between April 13 and April 26, 2019, payment data could have been affected for orders placed during this window of time. PrismRBS is continuing to take steps to enhance the security of its systems. We apologize for any frustration or concern this may cause.
While this is the second incident since January, this incident involved different tactics and technology employed by the unauthorized party.
What data was affected?
Based on PrismRBS' forensic investigation, it appears that the unauthorized party was able to access payment card information, including cardholder names, card numbers, expiration dates, card verification codes, billing address and phone numbers for certain transactions made on the website.
Because we do not collect sensitive information such as Social Security, passport, or driver’s license numbers, this type of information was not affected by this incident.
What about purchases made on other websites or at other venues on campus?
This incident affected only e-commerce transactions made on uvmbookstore.uvm.edu between April 13th and 26th, 2019; transactions made outside of this period of time, those made in our on-campus facility and other university transactions were not affected by this incident.
What about transactions paid for using financial aid?
This incident was designed to capture payment card information only. Customers using financial aid as their payment type, were not affected.
What is the Bookstore doing?
Our website provider, PrismRBS, has engaged a leading IT forensic firm to assist in its comprehensive investigation. The vendor is also taking steps to enhance the security of its systems, including implementing additional threat monitoring and detection tools.
Is PrismRBS offering credit monitoring services?
As an added precautionary measure, our vendor, PrismRBS, is offering one year of identity protection services through IdentityWorks. Call 877-239-1287 for instructions on how to take advantage of this service.
What you (the customer) can do?
- You can review your credit or debit card account statements to determine if there are any discrepancies or unusual activity listed.
- Remain vigilant and continue to monitor statements for unusual activity going forward.
- If you see something you do not recognize, immediately notify your financial institution as well as the proper law enforcement authorities.
- In instances of credit or debit card fraud, it is important to note that cardholders are not typically responsible for any fraudulent activity that is reported in a timely fashion.
- Social security numbers and other sensitive personal information were not at risk in this incident. As a good general practice, it is recommended that you carefully check your credit reports for accounts you did not open or for inquiries from creditors you did not initiate.
- If you see anything you do not understand, call the credit agency immediately.
- As an additional precaution, the letter you received included an “Information about Identity Theft Protection” reference guide, which describes additional steps you may take to help protect yourself, including recommendations from the Federal Trade Commission regarding identity theft protection. Additional information from the FTC can be found at https://www.consumer.ftc.gov/features/feature-0014-identity-theft.
What if I have more questions?
If you have additional questions that are not addressed here, please call the Data Breach Information Line at 888-229-7874 and leave a message including your name, number, and a good time to reach you. Someone will return your call within 1 business day.