The University of Virginia said on Friday that hackers managed to break into a "component" of an HR system and access sensitive information, including W-2s and banking details of University employees.
In a security incident notice, the University said the FBI recently notified the University of a data breach following a law enforcement investigation, which resulted in suspects overseas involved in the incident being taken into custody.
“In collaboration with the FBI, the University confirmed that unauthorized individuals illegally accessed a component of our human resources system, exposing personally identifiable information of a subset of Academic Division employees,” the notice said.
According to the University, the attack came via a phishing email scam by which the attackers sent emails asking recipients to click on a link and provide user names and passwords.
After successfully gaining valid user credentials, the cybercriminals were able to gain access to the HR system and the W-2s of approximately 1,400 employees. Additionally, direct deposit banking information of 40 employees was accessed.
After investigating the incident, it was determined that the attackers gained access to the HR records beginning in early November 2014, with the last suspected intrusion occurring in early February 2015.
Fortunately, the breach affected a small percentage of the 20,000 people employed by the University.
“Phishing attacks have plagued and ravaged institutions for years, and will only escalate in 2016,” Adam Levin, Chairman and Founder of IDT911, told SecurityWeek. “While we don't have intimate knowledge of the specific security protocols at UVA, it is clear that even if their IT and Information Security departments did everything right, one or more employees who click on a malicious link can be unwitting co-conspirators in the compromise of a database holding the personal information of countless individuals.”
“Even though this was a relatively small breach, the implications to the victims can be very far-reaching,” said Paul Martini, CEO of iboss Cybersecurity. “Personal and financial information, like the bank documents and Social Security Numbers stolen in the University of Virginia hack, is very lucrative for hackers to sell on the black market. This is another reminder that even sophisticated networks need to improve their safeguards against data breaches by focusing on stopping malware from stealing information after a hacker has infiltrated the network.”