A server at Virginia Commonwealth University, containing files with personal information on current and former VCU and VCU Health System faculty, staff, students and affiliates, was breached in October, during a two step attack. As a result, 176, 567 individuals may have been exposed to personal data theft.
Mark Willis, the CIO of VCU, said that on October 24, routine monitoring discovered suspicious files on one of the network devices. The server was taken offline and the vulnerabilities on it patched. Given that the server contained no personal or otherwise sensitive information; the incident was considered resolved, until five days later.
“Five days later, VCU’s continuing investigation revealed two unauthorized accounts had been created on a second server, which also was taken offline. Subsequent analysis showed the intruders had compromised this device through the first server. The intruders were on the server a short period of time and appeared to do nothing other than create the two accounts,” Willis noted in his notification letter.
This second server contained data on 176,567 individuals including a name or eID, Social Security Number and, in some cases, date of birth, contact information, and various programmatic or departmental information. The university can not say with complete certainty that the data wasn’t compromised, even though the likelihood is low. So, to play things safe, they issued a wide notification, and advice on monitoring personal information, including credit monitoring or acquiring identity protection services.
The university said they will not automatically grant everyone potentially impacted by the incident identity theft protection. “However, for the peace of mind of concerned students, employees and affiliates, the University will honor individual requests for these services,” the notification details explained.
More information on the incident can be found here.