A mistake by an employee who clicked on a link in a phishing email and unwittingly granted access to an attacker has resulted in a data breach at the University of Virginia that dates back to late 2014 and exposed personal information of about 1,400 people.
The breach includes allowed attackers to get access to some tax information and banking data for the affected employees. Even though the breach happened in November 2014 and lasted until February 2015, UVA officials only began notifying victims late last week, saying that the FBI was investigating the incident, which took precedence over notifying victims.
“The incident is the result of a ‘phishing’ email scam by which the perpetrators sent emails asking recipients to click on a link.”
“In collaboration with the FBI, the University confirmed that unauthorized individuals illegally accessed a component of our human resources system, exposing personally identifiable information of a subset of Academic Division employees. The exposure does not include UVA Medical Center information as it is on a separate system,” the university said in a statement about the breach.
“The incident is the result of a ‘phishing’ email scam by which the perpetrators sent emails asking recipients to click on a link and provide user names and passwords. Once the perpetrators were able to gain access to the HR system, W-2s of approximately 1,400 employees (for years 2013 and 2014) and the direct deposit banking information of 40 employees were accessed.”
UVA officials said the attack didn’t affect records at the University Medical Center, which are housed on a separate system. Interestingly, the university said that there was no connection between this attack and an earlier one that was attributed to actors in China.
“The two incidents are unrelated. This incident occurred before the recent sophisticated cyber attack that originated in China on portions of the University’s IT systems and resulted in the University upgrading those affected systems in August. IT leadership with the support of the Board of Visitors has undertaken a security enhancement program aimed at fortifying the security of data and information stored on University resources and aiding in the prevention of future cyber attacks,” UVA officials said.
One similarity between the two cases is that the FBI notified the university of the breach both times.
Image from Flickr stream of Phil Roeder.