Wendi Moore reports:
The University of Virginia is the victim of another data breach. According to a UVA statement, the personal information of approximately 1,400 UVA academic division employees has been accessed in a phishing email scam.
The FBI notified UVA of the breach following an investigation. The FBI says suspects are in custody overseas.
NBC also provides a copy of the university’s statement, which addresses one question I had: whether this incident was related to an earlier phishing incident I had noted in August, 2015. Apparently, it’s not:
University of Virginia Statement:
To All University of Virginia Academic Division Employees:
The Federal Bureau of Investigation recently notified the University of Virginia of a data exposure following an extensive law enforcement investigation. University officials are also aware that other colleges and universities were targeted by these perpetrators. Suspects overseas involved in this incident are in custody.
In collaboration with the FBI, the University confirmed that, as a result of a “phishing” email scam, unauthorized individuals illegally accessed a component of our human resources system, exposing personally identifiable information of a subset of Academic Division employees. The exposure does not include UVA Medical Center information as it is on a separate system.
Officials took immediate steps to further enhance the security of the affected system. This incident is the result of a “phishing” email scam by which the perpetrators sent emails asking recipients to click on a link and provide user names and passwords. Once the perpetrators were able to gain access to the HR system, payroll records of approximately 1,400 employees were accessed by the perpetrators.
The University sent notifications via email and U.S. mail earlier today (Jan. 22) to the affected employees whose personally identifiable information was exposed and is offering these individuals one year of free credit monitoring and identity protection services. For general information about this incident, affected University employees may call toll free 1-855-907-3155. Frequently Asked Questions regarding this incident are also available online at http://www.virginia.edu/informationsecurity/Jan-22-incident-FAQs/.
The University has been and continues to collaborate with the FBI. Affected employees were notified as soon as possible consistent with the FBI investigation.
This incident is unrelated to the June cyber attack that originated in China on portions of the University’s IT systems. IT leadership with the support of the Board of Visitors has undertaken a security enhancement program aimed at fortifying the security of data and information stored on University resources and aiding in the prevention of future cyber attacks.
The University regrets that the personal information of these employees was accessed and will continue to fortify its systems to prevent this from occurring in the future. The security of personal information and data remains a top priority of the University and our IT professionals will continue to remain vigilant and work to further enhance our IT security infrastructure and systems.
Cyber security threats are increasing in number and complexity, and “phishing” emails are a common means by which attackers access systems. It is critically important that every member of our community be wary of suspicious emails and other communications asking for personal information such as individuals’ user names, passwords and banking information. More information about information security is available online at http://www.virginia.edu/informationsecurity/.
Sincerely,
Patrick D. Hogan
Executive Vice President and Chief Operating Officer
The FAQ provides more details. Of note:
When did the data exposure happen?
An internal investigation determined that the perpetrators gained access to the stolen records beginning in early November 2014. The last suspected intrusion occurred in early February 2015.
What information was accessed?
W-2s for approximately 1,400 employees (for years 2013 and 2014) and the direct deposit banking information of 40 employees were accessed. The University has more than 20,000 employees.
The University of Virginia has been named on this blog approximately half a dozen times for breaches in the past few years. I have also seen reference to their vulnerability to certain attacks that I have not published. At this point, given how many incidents they’ve reported, I wonder if they’ve called in Mandiant or some other firm to really investigate their defenses in depth and make recommendations. Universities collect and store a tremendous amount of personal and sensitive information and are prime targets for bad actors.