Current Details on Service Systems Associates, Inc. Data Breach

We are providing this notification to report that Service Systems Associates, Inc. (“SSA”) was recently the victim of a data security breach.

The incident occurred in the point-of-sale systems located in the gift shops of fewer than a dozen of our clients. This means that if a guest used a credit or debit card in the gift shop at one of the following partner facilities between March 24 and May 20, 2015, the information on that card may have been compromised: Dallas Zoo, Detroit Zoo, El Paso Zoo, Fresno Chaffee Zoo, Herman Park Conservancy, Honolulu Zoo, Houston Zoo, Zoo Miami, Tampa’s Museum of Science and Industry, and the Pittsburgh Zoo & PPG Aquarium.

Investigation

SSA takes this issue very seriously. As soon as we learned about the attack, SSA began working with law enforcement officials and a third-party forensic investigator, Sikich, to investigate the breach. Through this investigation, we learned that the security of some personal information, including names, and credit card numbers had been affected. SSA has also notified the major credit card companies of this situation and they are in the process of notifying their customers.

Though the investigation into this attack continues, this notice has not been delayed by law enforcement. SSA has taken steps to protect the personal information of guests from further unauthorized access, including identifying and removing the malware that caused the breach. SSA is also taking several steps to improve its security and prevent future attacks, including dual authentication for remote access, encryption devices, and the elimination of keyboard based mag readers, among other things.

Identity Protection Services

Out of an abundance of caution, we are offering affected individuals access to one year of credit monitoring services at no cost. Information about these services may be obtained by e-mailing servicesystems@protectmyid.com.

Protecting Yourself From Fraud

We suggest that individuals who may have been affected by this incident remain vigilant by reviewing account statements for suspicious activity and monitoring free credit reports. Under U.S. law, individuals are entitled to a free annual credit report from each of the three major credit bureaus. To obtain a free credit report, visit www.annualcreditreport.com or call, toll-free, (877) 322-8228. Guests who view any fraudulent activity on a credit or debit card should contact the relevant card issuer as soon as possible. Most credit card companies do not hold customers liable for fraudulent charges if they are promptly reported.

If you believe you are a victim of identity theft, you should contact one of the consumer reporting agencies listed below to place a fraud alert or security freeze on your credit report. You only need to contact one of the three credit reporting companies to place an alert.

TransUnion:
1-800-680-7289
www.transunion.com
Fraud Victim Assistance Division
P.O. Box 6790
Fullerton, CA 92834-6790

Equifax:
1-800-525-6285
www.equifax.com
P.O. Box 740241
Atlanta, GA 30374-0241

Experian:
1-888-EXPERIAN (397-3742)
www.experian.com
P.O. Box 9554
Allen, TX 75013

Suspected incidents of identity theft should be immediately reported to local law enforcement, the Federal Trade Commission, and your state Attorney General. State Attorneys General and the FTC may also have advice on preventing identity theft, including placing a fraud alert or security freeze on your credit files.

For North Carolina and Maryland Residents

We are required by Maryland and North Carolina state laws to notify you that you may obtain information about preventing identity theft by contacting the Maryland and North Carolina Attorneys General.

  • For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001, (919) 716-6400, www.ncdoj.gov.
  • For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, (888) 743-0023, www.oag.state.md.us.

You may also contact the FTC at 600 Pennsylvania Avenue NW, Washington, D.C. 20580, www.ftc.gov/idtheft, (877) ID-THEFT (877-438-4338); TTY: (866) 653-4261.

For Residents of Massachusetts and West Virginia

We are required by Massachusetts and West Virginia law to notify affected individuals (1) that they have the right to obtain any police report filed in regard to this incident; (2) that if they are the victim of identity theft, they also have the right to file a police report and obtain a copy of it; and (3) that they may place a security freeze on their credit reports.

A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services.

If you have been a victim of identity theft, and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you up to $5.00 in Massachusetts and $5.30 in West Virginia to place, temporarily lift, or permanently remove a security freeze.

To place a security freeze on your credit report, you must send a written request to each of the three major consumer reporting agencies. In order to request a security freeze, you will need to provide the following information:

  1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.);
  2. Social Security Number;
  3. Date of birth;
  4. If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years;
  5. Proof of current address such as a current utility bill or telephone bill;
  6. A legible photocopy of a government issued identification card (state driver’s license or ID card, military identification, etc.)
  7. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft;
  8. If you are not a victim of identity theft, include payment by check, money order, or credit card

(Visa, MasterCard, American Express or Discover only). Do not send cash through the mail.

The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (PIN) or password, or both that can be used by you to authorize the removal or lifting of the security freeze. To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze as well as the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.

To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.

Contact Information

We will provide relevant updates on our website as soon as they may become available. SSA is available to answer any questions about the data security breach and the personal information maintained by SSA that may have been compromised, and to provide more information about the credit monitoring and identity protection services we are offering. We may be reached from 9:00 a.m. to 4:00 p.m. MST toll-free at (855) 201-0806, or creditinvestigation@kmssa.com.

Again, we are very sorry for any inconvenience due to this situation.

 

 

 

Previous Details on Service Systems Associates, Inc. Data Breach (Originally Posted 7/7/2015)

We are sorry to report that Service Systems Associates, Inc. (SSA) was recently the victim of a data security breach.

The violation occurred in the point of sale systems located in the gift shops of fewer than a dozen of our clients.  This means that if a guest used a credit or debit card in the gift shop at one of a limited number of our partner facilities between March 23 and June 25, 2015, the information on that card may have been compromised.

SSA takes this issue very seriously. As soon as we learned about the attack, SSA began working with law enforcement officials and a third-party forensic investigator, Sikich, to investigate the breach.

Though the investigation into this attack continues, the malware that caused the breach was identified and removed. All visitors should feel confident using credit or debit cards anywhere in these facilities. SSA is also taking several steps to improve its security and prevent future attacks.

SSA has notified the credit card companies of this situation. Guests who view any fraudulent activity on a credit or debit card should contact the relevant card issuer as soon as possible. Most credit card companies do not hold customers liable for fraudulent charges if they are promptly reported.

Additionally, here is some advice from the Consumer Financial Protection Bureau:

If you believe you are a victim of identity theft, you should contact one of the consumer reporting agencies listed below to place a fraud alert on your credit report. You only need to contact one of the three credit reporting companies to place an alert.

TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9554, Allen, TX 75013

For more details on the steps to take if you are a victim of identity theft, visit the Federal Trade Commission’s Identity Theft website at http://www.ftc.gov/bcp/edu/microsites/idtheft.

We will provide relevant updates as soon as they may become available.

Again, we are very sorry for any inconvenience due to this situation.

Regards,

Timothy L. Brantley, CEO