
PUBLIC NOTICE – January 30, 2025
We take the privacy and security of our employees and partners seriously. In this regard, in April 2024, a cybersecurity incident (the Incident) occurred that impacted the personal information of certain employees, former employees and contractors of Hammerhead Energy Inc (Hammerhead). The purpose of this notification is to inform individuals related to Hammerhead regarding the potential impact this incident may have had on their personal information, the measures available to them to protect their personal information, and the steps that have been taken to protect their personal information.
Impacted individuals regarding whom contact information was available are being notified – if you are a former employee or contractor of Hammerhead and have not received a letter regarding the incident, please reach out to us at csresponse@transunion.com to determine if you have been impacted by the incident.
What happened and what actions were taken
On or around April 25, 2024, it was discovered that an unauthorized third party gained access to a portion of Veren Partnership’s (Veren) IT infrastructure solely dedicated for use within the former IT environment of Hammerhead Energy. This included Hammerhead Energy network appliances, application servers and file servers. Upon discovery of the incident, countermeasures were immediately deployed to secure the network and data from further unauthorized access, and third party cybersecurity experts were retained to assist with containment and remediation, and to conduct a forensic investigation to determine the cause and scope of the incident. No portion of Veren’s IT environment containing Veren data, operations, applications were accessed in the Incident.
Additional security safeguards have been implemented to help prevent an incident of this nature from occurring in the future. Applicable privacy regulatory authorities and law enforcement have been notified of the incident.
Upon discovering that data had been exposed as a result of the Incident, a comprehensive review of the impacted data was conducted to determine the individuals that had been impacted and the types of personal information at issue.
What personal information is affected
The impacted personal information varies for each individual. In some cases, limited personal information was impacted, while in other cases, many types of personal information regarding an individual were compromised. Generally speaking, however, the following categories of personal information may have been impacted:
- First and last name;
- Contact information (personal phone number, email address and postal address);
- Date of birth;
- Income;
- Employment record (including employment and education history, employee ID, termination and disciplinary records and performance evaluation);
- Sexual orientation;
- Social insurance number and government ID;
- Financial information (such as bank account numbers, void cheques or copies of signed cheques); and
- Medical records.
We want to assure you that, to date, we are not aware of any personal information being misused such as to carry out identity theft and/or fraud. The types of impacted personal information can vary between affected individuals – specific categories of personal information impacted for each individual are outlined in the direct notification that has been sent to them.
Individuals who have not been directly notified of the incident can reach out to csresponse@transunion.com for more information on what types of personal information regarding them were impacted.
Credit Monitoring
As a protective measure, we are offering certain eligible individuals with a free one-year subscription to TransUnion credit monitoring and identity theft prevention services.
To determine whether or not you are eligible for this service, please refer to your notification letter (if you have received one) or contact us by email at csresponse@transunion.com. We encourage you to contact us and activate the activation code as soon as possible. Please note that credit monitoring services must be activated no later than March 31, 2025.
What you can also do to protect yourself
We encourage you to always be vigilant and limit any potential damage by taking the following preventative measures:
- Monitor your bank accounts. If you have any concerns or identify any suspicious or fraudulent transactions on your credit or debit card, we recommend that you contact your financial institution, law enforcement or the Canadian Anti-Fraud Centre (1-888-495-8501).
- Change your passwords regularly and make sure they are secure - especially when an account is linked to your Social Insurance Number. Never use the same passwords.
- Be careful about sharing your personal information in an unsolicited manner, whether by phone, email or on a website.
- Avoid clicking on links or downloading attachments in suspicious emails.
- If you notice any suspicious activity, report it to the appropriate authorities.
- Contact us and sign up for the credit monitoring services described above.
The following website offers additional tips and resources to help protect your identity: Identity theft and you - Office of the Privacy Commissioner of Canada
We regret any stress and inconvenience this incident may have caused.