The Federal Bureau of Investigation recently notified the University of Virginia (UVA) of a data exposure following an extensive law enforcement investigation.
The University confirmed that, as a result of a phishing email scam, unauthorized individuals were able to access the human resources system, thus exposing the payroll records of approximately 1,400 employees, including W-2s for years 2013 and 2014, which include Social Security numbers. And, the direct-deposit banking information of 40 employees were accessed.
The exposure did not include UVA Medical Center information, which is housed on a separate system.
UVA also said that other colleges and universities were targeted by the perpetrators, and that the incident is unrelated to the June cyber-attack that originated in China on portions of the University’s IT systems. Suspects overseas involved in this incident are in custody.
Even though this was a relatively small breach, the implications to the victims can be very far-reaching, according to iboss cybersecurity CEO Paul Martini. “Personal and financial information, like the bank documents and Social Security numbers stolen in the University of Virginia hack, is very lucrative for hackers to sell on the black market,” he said, in an email. “This is another reminder that even sophisticated networks need to improve their safeguards against data breaches by focusing on stopping malware from stealing information after a hacker has infiltrated the network.”
As cybersecurity threats are increasing in number and complexity, phishing emails have become a common means by which attackers access systems—and a preventable one.
“IT leadership with the support of the Board of Visitors has undertaken a security enhancement program aimed at fortifying the security of data and information stored on University resources and aiding in the prevention of future cyber-attacks,” officials said. “It is critically important that every member of our community be wary of suspicious emails and other communications asking for personal information such as individuals’ user names, passwords and banking information.”
Photo © Melinda Fauver