A server at Virginia Commonwealth University, containing files with personal information on current and former VCU and VCU Health System faculty, staff, students and affiliates, was breached in October, during a two step attack. As a result, 176, 567 individuals may have been exposed to personal data theft.
Mark Willis, the CIO of VCU, said that on October 24, routine monitoring discovered suspicious files on one of the network devices. The server was taken offline and the vulnerabilities on it patched. Given that the server contained no personal or otherwise sensitive information; the incident was considered resolved, until five days later.
“Five days later, VCU’s continuing investigation revealed two unauthorized accounts had been created on a second server, which also was taken offline. Subsequent analysis showed the intruders had compromised this device through the first server. The intruders were on the server a short period of time and appeared to do nothing other than create the two accounts,” Willis noted in his notification letter.
This second server contained data on 176,567 individuals including a name or eID, Social Security Number and, in some cases, date of birth, contact information, and various programmatic or departmental information. The university can not say with complete certainty that the data wasn’t compromised, even though the likelihood is low. So, to play things safe, they issued a wide notification, and advice on monitoring personal information, including credit monitoring or acquiring identity protection services.
The university said they will not automatically grant everyone potentially impacted by the incident identity theft protection. “However, for the peace of mind of concerned students, employees and affiliates, the University will honor individual requests for these services,” the notification details explained.
More information on the incident can be found here.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
