Notice of Data Breach

The Housing Authority of the City of Salem (“SHA”) is informing its applicants, program participants, tenants, and other individuals that conduct business with SHA of a data security incident that may have involved personal information. At SHA, we take the privacy and security of personal information very seriously and are informing impacted individuals about steps that can be taken to protect their personal information.

What Happened? On November 20, 2018, SHA received an email from a known associate that contained an email attachment that was opened and resulted in the download of two viruses. The same day, SHA disabled all SHA staff accounts and forced password resets on all accounts. SHA’s internal IT Department, in conjunction with the City of Salem’s IT Department, immediately began an investigation to determine what had occurred and whether personal information may have been affected. All computers were subsequently cleaned of all infection. On or around November 30, 2018, SHA was informed that personal information may have been affected. SHA determined that the incident was restricted to SHA staff email contacts.

What Information Was Involved? The following information may have been affected: names, phone numbers, email addresses, and other contact information that was stored in SHA staff’s Microsoft Outlook contacts. Other information, such as personal addresses, bank account information, dates of birth, protected health information, and social security numbers was not released.

What Are We Doing? SHA took the steps referenced above in response to the data security incident. We are also providing impacted individuals with additional information about steps to take to protect their personal information.

What You Can Do: We are providing the follow the recommendations to assist you with taking steps to protect your personal information.  Additionally, you may contact SHA’s Compliance Manager, Adam Mentzer, JD, at (503) 587-4815 or at to obtain information about the incident. Any updates will be provided on our website at

Steps You Can Take to Further Protect Your Information

Beware of Phishing or Suspicious Emails Purporting to be from SHA Staff: As a result of the security incident, you may receive suspicious or phishing emails purporting to be from SHA staff. These emails may request that you pay an invoice or may request other information from you. These emails may contain a signature block with the name of SHA staff as well as an out-of-state phone number. Please note that SHA does not send invoices by email.

If you receive a suspicious or phishing email purporting to be from SHA staff, please be advised that:

(1)   There is a possibility that the email is not from the SHA staff member whose name and email address are listed in your inbox or in the body of the email;

(2)   Do not open any attachments or click on any links;

(3)   Do not reply to the email or provide any sensitive information to the sender; and

(4)   If you have any concerns of the authenticity of an email, please contact the SHA staff member directly at their email or phone number provided on our website,, to confirm that the email is legitimate.

Review Your Account Statements and Notify Law Enforcement of Suspicious Activity:  As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements and credit reports closely.  If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained.  You also should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, your state attorney general, and/or the Federal Trade Commission (“FTC”).

Copy of Credit Report:   You may also want to contact the three U.S. credit reporting agencies to obtain a free credit report. You may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting, or by calling toll-free (877) 322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348.  You can print this form at You can also contact one of the following three national credit reporting agencies:

P.O. Box 1000
Chester, PA 19016

P.O. Box 9532
Allen, TX 75013

P.O. Box 740256
Atlanta, GA 30374

Free Annual Report
P.O. Box 105281
Atlanta, GA 30348

 Even if you do not find any suspicious activity on your initial credit reports, the FTC recommends that you check your credit reports periodically. Personal information is sometimes held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly.

 Fraud Alert:  You may want to consider placing a fraud alert on your credit report.  An initial fraud alert is free and will stay on your credit file for at least 90 days.  The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name.  To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above.  Additional information is available at

Security Freeze:  In some U.S. states, including Oregon, you have the right to put a security freeze on your credit file.  By placing a freeze, someone who fraudulently acquires your personal identifying information will not be able to use that information to open new accounts or borrow money in your name.  Additionally, a security freeze is designed to prevent potential creditors from accessing your credit report without your consent.  Keep in mind that when you place a freeze, you will not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily lift or permanently remove your freeze. You must separately place a security freeze on your credit file with each credit reporting agency.  

The cost of placing the freeze is no more than $10 for each credit reporting agency for a total of $30. However, if you are a victim of identity theft and have filed a report with your local law enforcement agency or submitted an ID Complaint Form with the FTC, there may be no charge to place the freeze. To place a security freeze, you may be required to provide the consumer reporting agency with information that identifies you including your full name, Social Security number, date of birth, current and previous addresses, a copy of your state-issued identification card, and a recent utility bill, bank statement or insurance statement. To obtain a security freeze, contact the following agencies:

(1)   Equifax: 1-888-298-0045;

(2)   TransUnion: Fraud Victim Assistance Department, PO Box 6790, Fullerton CA 92834

(3)   Experian: Send an e-mail to

Additional Free Resources:  You can obtain information from the consumer reporting agencies, the FTC or from the Oregon Department of Justice and Attorney General about steps you can take toward preventing identity theft.  You may report suspected identity theft to local law enforcement, including to the FTC or to the Attorney General in your state.  

Federal Trade Commission
600 Pennsylvania Ave, NW
Washington, DC  20580, and

Oregon Department of Justice
Consumer Protection
1162 Court St NE

Salem, OR 97301

Oregon Department of Consumer and Business Services

350 Winter St NE, Rm. 410

Salem, OR 97309


You also have certain rights under the Fair Credit Reporting Act (FCRA), including the right to know what is in your file, to dispute incomplete or inaccurate information, and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information.  For more information about the FCRA, and your rights pursuant to the FCRA, please visit