Important Notice from Front Rush, LLC
June 30, 2020
Front Rush, LLC ("Front Rush") has notified its customers about an incident that may affect the privacy of some of personal information of athletes at Baldwin Wallace. Front Rush provides athletics management software solutions to academic institutions and amateur athletics organizations ("institutions"). One or several of these institutions recruited you as a student athlete, or you may have been a member of one or more institutions, and some of your information was stored within Front Rush's systems due to the institutions' use of Front Rush. While we are unaware of any actual or attempted misuse of your information, this letter provides details of the incident, our response, and resources available to help protect your information from possible misuse, should you feel it is appropriate to do so.
What Happened? On or around January 5, 2020, Front Rush was informed by a security researcher that one of its Amazons Web Services S3 buckets ("the S3 bucket") was publicly accessible from the internet. The S3 bucket contained: (a) certain attachments (like transcripts, injury reports, or athletic reports) that were placed in the platform by the institutions; and (b) certain attachments that were uploaded by student-athletes, prospective student-athletes or their parents/guardians, in response to prompts in a recruitment questionnaire formulated and disseminated by the institutions.
Upon learning of this event, Front Rush immediately commenced an investigation, working with third party forensic investigators, to assess the nature and scope of the incident. The investigation determined that the S3 bucket was publicly accessible between January 18, 2016 and January 8, 2020. Front Rush's own internal database and systems were not affected by this incident. We also contacted the security researcher, who stated that he did not save or share any copies of the data. Although we have no evidence to suggest that the S3 bucket was accessed by anyone other than the security researcher, logs were not sufficient to show whether anyone else had accessed the data. Out of an abundance of caution, we undertook a comprehensive programmatic and manual review of the entire contents of the S3 bucket to confirm the type of information contained in the S3 bucket and the individuals to whom it related. We received results of the data mining investigation on May 19, 2020 and began parsing the data to notify impacted institutions. The institutions were notified that your information was confirmed to be impacted.
What Information Was Involved? Although we do not have any evidence demonstrating that your information was accessed or acquired, our investigation determined the information present in the S3 bucket included your name and the following types of personal information: date of birth, Social Security number, driver's license number/state ID number, student ID number, passport number, other ID number, financial account information, payment card information, mother's maiden name, birth certificate, username or email address and password, electronic signature, Medicare/Medicaid number, diagnoses, prescriptions, disability information, information, other medical information, health insurance subscriber and group numbers, and other health insurance information.
What Is Front Rush Doing? We take this incident and the security of your personal information seriously. Upon learning of this incident, Front Rush immediately took steps to reconfigure and secure the S3 bucket to ensure it was no longer publicly accessible, and launched an in-depth investigation to determine the nature and scope of the incident. Front Rush also notified its customer institutions and updated them as the investigation unfolded. As part of Front Rush's ongoing commitment to the privacy of personal information in its care, Front Rush also reviewed its existing policies and procedures to ensure the security of information in its systems. Front Rush will continue working to further secure the information in its systems going forward. Front Rush is also notifying state regulatory authorities, where required.
As an added precaution, Front Rush is also offering you complimentary access to identity monitoring, fraud consultation and identity theft restoration services through TransUnion. If you wish to activate these services, you may follow the instructions included in the "Steps You Can Take to Protect Your Information."
What Can You Do? We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity. Additionally, please review the enclosed "Steps You Can Take to Protect Your Information." You may also enroll to receive the credit monitoring and identity theft protection services we are making available to you. Front Rush is making these services available at no cost to you; however, you will need to enroll yourself in these services.
For More Information. We recognize that you may have questions not addressed in this letter. If you have additional questions, please call our dedicated assistance line at (855) 917-3546 (toll free), Monday - Friday, 9:00 a.m. to 9:00 p.m., Eastern Time (excluding U.S. national holidays). We sincerely regret any inconvenience this incident may cause you. Protecting your information is important to us, and Front Rush remains committed to safeguarding information in our care.