Destination Kohler takes very seriously the privacy and protection of our guests which is why, as a precautionary matter, we are posting this notice to inform you of a recent security incident. This incident may involve some of the information our guests provided in connection with their reservation(s) booked with The American Club or Sandhill Cabin for overnight stays between November 29, 2020 and December 1, 2021, including pre-bookings for 2021, that was stored by our third-party booking solutions provider, TravelClick.
On January 21, 2021, one of our employees was the victim of a sophisticated phishing attack that compromised their TravelClick login credentials after inadvertently responding to a malicious email that appeared to contain a legitimate link to TravelClick’s web portal. As soon as the employee reported the phishing attack to us on January 21, 2021, we immediately notified TravelClick and prevented other users from accessing the phishing email. We also requested that TravelClick immediately cancel the employee’s account and create a new account for that user.
On March 11, 2021, we were informed by TravelClick that it had been conducting a confidential investigation into a potential security incident and determined that our employee’s credentials may have been used by an unauthorized third party to log in to our third-party reservations system managed by TravelClick and potentially access certain payment card information associated with our guests’ reservations, including cardholder name, card number, and expiration date. However, TravelClick has stated that cardholders’ PINs and security codes were not available or impacted. Up until we received notice from TravelClick on March 11, 2021, we had no reason to believe that any of our guests’ personal information was at risk, nor did we know that TravelClick was conducting an investigation into a potential security incident.
Although we have no evidence that any of our guests’ payment card information was actually accessed or misused by an unauthorized third party, we are issuing this notice out of an abundance of caution in the hopes of reaching guests for whom current contact information is not available. Destination Kohler will offer free credit monitoring services for two years to individuals who are affected by this incident. If eligible, instructions on how to enroll can be obtained by calling the telephone number below.
We encourage impacted individuals to remain vigilant for incidents of fraud and identity theft by reviewing their account statements and monitoring their credit reports for unauthorized activity. If you discover any suspicious or unusual activity on your accounts, you should promptly notify the financial institution or company with which your account is maintained. Below is information about other precautionary measures impacted individuals can take to protect their personal information.
If you have booked a reservation with The American Club or Sandhill Cabin with overnight stay dates between November 29, 2020 and December 1, 2021, and believe your information may be part of this incident, please contact our dedicated incident response line at (855) 654-0904 between 8 a.m. – 8 p.m. Central Time, Monday through Friday, for more information and to enroll in complimentary credit monitoring services.
Vice President of Lodging and Wellness
1. Free Credit Report. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the nationwide credit reporting agencies. To order your annual free credit report please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s (FTC) website at www.consumer.ftc.gov) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. Contact information for the national credit reporting agencies for the purpose of requesting a copy of your credit report and other general inquiries is provided below:
· Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
· Experian, PO Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742
· TransUnion, PO Box 2000, Chester, PA 19022, www.transunion.com, 1-800-888-4213
· Innovis, PO Box 1689, Pittsburgh, PA 15230-1689, www.innovis.com, 1-800-540-2505
2. Fraud Alert. You have the right to place an initial or extended “fraud alert” on your file at no cost by contacting any of the nationwide credit reporting agencies. Contact information for the national credit reporting agencies for the purposes of placing a fraud alert on your file is provided below. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert displayed on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. For this reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. If you are a victim of identity theft and have filed an identity theft report with law enforcement, you may want to consider placing an extended fraud alert, which lasts for 7 years, on your credit file.
· Equifax, PO Box 105069, Atlanta, GA 30348-5069, www.equifax.com/personal/credit-report-services/credit-fraud-alerts, 1-800-525-6285
· Experian, PO Box 9554, Allen, TX 75013, www.experian.com/fraud/center.html, 1-888-397-3742
· TransUnion, PO Box 2000, Chester, PA 19016, www.transunion.com/fraud-alerts, 1-800-680-7289
· Innovis Consumer Assistance, PO Box 26, Pittsburgh, PA 15230-0026, https://www.innovis.com/personal/fraudActiveDutyAlerts, 1-800-540-2505
3. Security Freeze. You have the right to place, lift, or remove a “security freeze” on your credit report, free of charge. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services. Under federal law, you cannot be charged to place, lift, or remove a security freeze.
You must place your request for a freeze separately with each of the consumer reporting agencies. To place a security freeze on your credit report, you may do so by contacting each of the consumer reporting agencies through the contact information below:
· Equifax, PO Box 105788, Atlanta, GA 30348-5788, www.equifax.com/personal/credit-report-services/credit-freeze, 1-800-298-0045
· Experian, PO Box 9554, Allen, TX 75013, www.experian.com/freeze/center.html, 1-888-397-3742
· TransUnion, PO Box 160, Woodlyn, PA 19094, www.transunion.com/credit-freeze, 1-888-909-8872
· Innovis, PO Box 26, Pittsburgh, PA 15230-0026, www.innovis.com/personal/securityFreeze, 1-800-540-2505
In order to request a security freeze, you will need to provide some or all of the following information to the credit reporting agency, depending on whether you do so online, by phone, or by mail (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft.
The credit reporting agencies have 1 business day after receiving your request by toll-free telephone or secure electronic means, or up to 3 business days after receiving your request by mail, to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within 5 business days and may provide you with a unique personal identification number (PIN) or password (or both) that can be used by you to authorize the removal or lifting of the security freeze. It is important to maintain this PIN/password in a secure place, as you will need it to lift or remove the security freeze.
To lift the security freeze in order to allow a specific entity or individual access to your credit report, or to lift a security freeze for a specified period of time, you must submit a request through a toll-free telephone number, a secure electronic means maintained by a credit reporting agency, or by sending a written request via regular, certified, or overnight mail to the credit reporting agencies and include proper identification (name, address, and Social Security number) and the PIN or password provided to you when you placed the security freeze as well as the identity of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have 1 business day after receiving your request by toll-free telephone or secure electronic means, or 3 business days after receiving your request by mail, to lift the security freeze for those identified entities or for the specified period of time.
To remove the security freeze, you must submit a request through a toll-free telephone number, a secure electronic means maintained by a credit reporting agency, or by sending a written request via regular, certified, or overnight mail to each of the credit bureaus and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have 1 business day after receiving your request by toll-free telephone or secure electronic means, or 3 business days after receiving your request by mail, to remove the security freeze.
4. Federal Trade Commission and State Attorneys General Offices. If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the FTC, proper law enforcement authorities and/or your state attorney general. You may also contact these agencies for information on how to prevent or avoid identity theft and to obtain additional information about fraud alerts and security freezes. You may contact the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (438-4338).