Carruth Compliance Consulting is the third-party administrator that handles 403(b) and 457(b) retirement savings plans for many Oregon school districts, including LBCC. Carruth discovered suspicious activity on their computer systems. An investigation revealed that unauthorized access to Carruth’s network occurred in late December 2024, resulting in the compromise of sensitive employee data for Carruth’s clients, including LBCC.

This incident impacts all employees who have been employed by LBCC, regardless of whether or not Carruth was actively managing your 403(b) or 457(b) retirement saving plans.

See the official statement from Carruth. For support or questions, please contact carruthbreach@linnbenton.edu.

 

Frequently Asked Questions

Carruth Compliance Consulting, the third-party administrator of LBCC’s 403(b) and 457(b) retirement savings plans, discovered suspicious activity on its computer systems in late 2024. An investigation revealed that sensitive employee data for Carruth’s clients, including LBCC, was affected. Carruth’s customers include many of the school districts, ESDs and other organizations throughout Oregon and beyond. More information about this incident is available on Carruth’s website.

Carruth immediately began working with third-party specialists to investigate the activity, and then notified the Federal Bureau of Investigation. The company also immediately engaged a sub-contractor to handle processing of information coming in from its clients. For the foreseeable future, no further retirement account transactions from LBCC employees will be processed by Carruth.

Yes, we understand that this incident occurred on Carruth’s network only. There currently is no indication that LBCC’s systems or network was impacted.

We have limited information from Carruth at this time. The information Carruth has currently provided us is that they believe that this data security incident may have impacted all employees who have been employed by LBCC since 2008, regardless of whether or not Carruth was actively managing your 403(b) or 457(b) retirement saving plans. We are working to verify if all employees are impacted.

According to Carruth, the company will not be notifying employees who have been impacted nor will it provide a list of affected employees to LBCC. Please review next steps and how to access credit monitoring support below.

Although we currently do not have sufficient information from Carruth to confirm exactly who or what was impacted, we are providing you with this notice out of an abundance of caution.

Information that was potentially shared includes employee names, social security numbers, dates of birth, LBCC email address, street address, and date of hire information, and contribution amounts to 403(b) and 457(b) retirement savings accounts (not Oregon Public Employees Retirement System - PERS).

Additionally, Carruth has alerted us that the impacted information could include any information you shared directly with Carruth in the management of your 403(b) or 457(b) retirement savings plans, that information, too, may have been compromised — information like beneficiaries, power of attorney, financial account information, driv license numbers, W-2 information, medical billing information (but not medical records) and tax filings.

We are working with Carruth to understand the full scope of the data security incident and to ensure appropriate steps to mitigate the impact to our employees. We are providing this FAQ and will provide more information as it becomes available.

You will not receive any notification from Carruth verifying that your information was compromised. Instead, you should proactively take action:

  • Enroll in credit monitoring and identity restoration services: Carruth is offering free credit monitoring and identity restoration services through IDX for one year. To enroll, call IDX at 877-720-7895. (Monday - Friday, except holidays).
  • Monitor your accounts: Regularly review your retirement savings plans, bank accounts, credit card statements, and other financial accounts for any suspicious activity. If you see anything unusual, report it to your financial institution immediately.
  • Check your credit reports: You're entitled to one free credit report annually from each of the three major credit reporting bureaus (Equifax, Experian, and TransUnion). Visit Annual Credit Report or call 1-877-322-8228 to order your free reports.
  • Consider placing a fraud alert or credit freeze on your credit report: You can place a fraud alert or credit freeze on your credit report to help protect yourself from identity theft. See details below.
  • Report any suspicious activity: If you suspect you are a victim of identity theft, report it to the Federal Trade Commission (FTC) at IndentityTheft or 1-877-ID-THEFT (1-877-438-4338). You should also file a police report.

Fraud Alert: A fraud alert notifies creditors to verify your identity before issuing new credit. You can place an initial fraud alert (lasting one year) or an extended fraud alert (lasting seven years), if you're already a victim of identity theft.

Credit Freeze: A credit freeze prevents credit bureaus from releasing your credit report without your explicit consent. A credit freeze is designed to prevent credit, loans and services from being approved in a consumer's name without consent. However, consumers should be aware that using a credit freeze may delay, interfere with or prohibit the timely approval of any subsequent requests or applications they make regarding new loans, credit, mortgages or any other accounts involving the extension of credit.

To place a fraud alert or credit freeze, contact the three major credit reporting bureaus:

Advice for those impacted by identity theft: