University of Virginia data breach exposed financial data

The university has admitted that cyberattackers were able to infiltrate areas of the human resource department's network.
Written by Charlie Osborne, Contributing Writer

The University of Virginia has admitted to a data breach which has placed the private data of employees at risk.

In a security advisory posted late last week, the academic institution said cyberattackers were able to access a component of the HR system, leading to the exposure of information belonging to approximately 1,400 Academic Division employees.

An investigation by the FBI has led to suspects being arrested and being held in custody, although how many and their identities are unknown.

The data breach was caused by something heard all-too-frequently by those in the law enforcement and security fields: a phishing attack. A malicious email, either sent in bulk to addresses or specifically crafted based on an institution or company's employees, is sent with the overall intention of securing account information.

In this case, the University of Virginia says the phishing campaign asked for usernames and passwords to the human resource system.

Unfortunately, someone -- or a number of employees -- fell for the tactic, input their information, and granted the attackers access. Once inside, the group were able to access the HR system, the 2013 and 2014 W-2s of approximately 1,400 employees, and the direct deposit banking information of 40 employees.

There is no evidence that UVA Medical Center information was compromised as this information is held on a separate system.

According to the university, the cyberattackers gained access in early November 2014, and the last known intrusion took place in early February 2015. While arguably incredibly late to admit to the data theft and information exposure, the institution is taking the rather worn path in the aftermath -- by offering impacted employees a year of free credit monitoring and identity protection services in reparation.

Staff affected by the breach were notified from January 22, 2016. The university commented:

"The University has been and continues to collaborate with the FBI. Affected employees were notified as soon as it was practical, consistent with the FBI investigation."

The academic institution was quick to mention this data breach has nothing to do with a cyberattack in June which hit the university's IT systems. Originating in China, the attack focused on two email accounts belonging to employees working with Chinese nationals.

In response to the attack, the University of Virginia upgraded affected systems and improved security. Unfortunately, however, human error and tactics including phishing campaigns can circumvent even the most stringent defences.

In response to the data breach, iboss Cybersecurity CEO Paul Martini said:

"Even though this was a relatively small breach, the implications to the victims can be very far-reaching. Personal and financial information, like the bank documents and Social Security Numbers stolen in the University of Virginia hack, is very lucrative for hackers to sell on the black market.

This is another reminder that even sophisticated networks need to improve their safeguards against data breaches by focusing on stopping malware from stealing information after a hacker has infiltrated the network."

10 things you didn't know about the Dark Web

Read on: Top picks

Editorial standards