Enstar (US), Inc. (Enstar”) became aware of an incident that may affect some personal information maintained by Enstar. This notice provides details of the incident, Enstar’s response, and steps individuals may take to better protect against the possible misuse of their information should they feel it appropriate to do so.
On May 31, 2023, Progress Software Corp. publicly disclosed zero-day vulnerabilities that impacted the MOVEit Transfer tool. As a user of that tool, Enstar moved quickly to apply all software updates provided by the vendor to address vulnerabilities associated with the application and undertook recommended mitigation steps. Enstar promptly launched an investigation, with the assistance of third-party forensic specialists, to determine the nature and scope of the potential impact of the vulnerabilities’ presence on our MOVEit Transfer server and on the data it stored. Enstar’s investigation determined that an unauthorized actor (subsequently identified as the criminal group known as ‘CL0P’) exploited this zero-day vulnerability, accessed the MOVEit Transfer server between May 29, 2023 and May 31, 2023, and exfiltrated data over that time. Enstar undertook a time-consuming and comprehensive review of the impacted data to understand the contents of that data and to whom that data relates. It was determined, as a result of the initial review, that Enstar didn’t have mailing addresses for all potentially impacted individuals. Enstar began providing notice of this event on November 20, 2023 to individuals for whom Enstar had a mailing address. Enstar then conducted a review of its records to try to locate additional addresses. This review was completed on March 22, 2024. On May 3, 2024, Enstar mailed the last set of letters but couldn’t locate addresses for all potentially impacted individuals.
While Enstar is currently unaware of any misuse of information relating to this incident, the data present within the accessible files that could have been subject to unauthorized access includes an individual’s name and one or more of Social Security number, driver’s license number, state- issued identification number, individual taxpayer identification number, financial account information, medical information, health insurance information, and email address and password.
Enstar has mailed notification letters to the individuals identified as impacted by this incident, for whom it has valid mailing addresses. If an individual did not receive a letter but would like to know if they are affected, they may call Enstar’s dedicated assistance line, provided below.
Enstar takes the confidentiality, privacy, and security of information in their care seriously. Upon discovery, Enstar immediately commenced an investigation to confirm the nature and scope of the incident. Enstar reported this incident to law enforcement, and has taken steps to implement additional safeguards relating to data privacy and security.
Enstar encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review their account statements, and to monitor their credit reports for suspicious activity. Individuals can also review the Steps You Can Take to Protect Personal Information, listed below, for general guidance.
Individuals with questions about this incident may call Enstar’s dedicated assistance line at 1-833-931-8588, Monday through to Friday from 9 am – 11 pm Eastern, or Saturday and Sunday from 11 am – 8 pm Eastern (excluding major U.S. holidays).
Enstar encourages individuals to remain vigilant against incidents of identity theft and fraud, to review their account statements, and to monitor their credit reports for suspicious activity.
Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Consumers may also directly contact the three major credit reporting bureaus listed below to request a free copy of their credit report.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If consumers are the victim of identity theft, they are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should consumers wish to place a fraud alert, please contact any of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in a consumer’s name without consent. However, consumers should be aware that using a credit freeze to take control over who gets access to the personal and financial information in their credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application they make regarding a new loan, credit, mortgage, or any other account involving the extension of credit.
Pursuant to federal law, consumers cannot be charged to place or lift a credit freeze on their credit report. To request a credit freeze, individuals may need to provide some or all of the following information:
Should consumers wish to place a credit freeze or fraud alert, please contact the three major credit reporting bureaus listed below:
| Equifax | Experian | TransUnion |
| https://www.equifax.com/personal/credit-report-services/ | https://www.experian.com/help/ | https://www.transunion.com/credit-help |
| 1-888-298-0045 | 1-888-397-3742 | 1-800-916-8800 |
| Equifax Fraud Alert, P.O. Box 105069 Atlanta, GA 30348-5069 | Experian Fraud Alert, P.O. Box 9554, Allen, TX 75013 | TransUnion Fraud Alert, P.O. Box 2000, Chester, PA 19016 |
| Equifax Credit Freeze, P.O. Box 105788 Atlanta, GA 30348-5788 | Experian Credit Freeze, P.O. Box 9554, Allen, TX 75013 | TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094 |
Individuals may further educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or your state Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and individuals’ state Attorney General. This notice has not been delayed by law enforcement.
