Report a Third-Party Breach

There are many ways we can learn of breaches for systems used outside of Cornell’s centrally offered services:

  • Notification from the vendor once logged into an online account
  • A phone, text, or email notification
  • Media reports


Note: Exercise caution with phone, text, or email notifications as they may not come from legitimate sources. Always confirm the source of the notification by engaging the third-party directly. This is much safer than replying to or clicking on links in emails, and helps you potentially avoid falling for phishing scams.



  • If a notification is received via phone, text, or email and you are not sure if it is legitimate, check the Phish Bowl to see if it is posted as a known fraudulent communication AND contact the vendor directly to confirm.
  • Contact your supervisor, local IT Support, the IT Service Desk, and IT Security Liaison for assistance.



  • The level of risk to your personal information or Cornell data is largely dependent on
    • what kind of data is stored by the vendor or third-party
    • information reported as exposed/disclosed