Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Breach University of Virginia HR System

The University of Virginia said on Friday that hackers managed to break into a “component” of an HR system and access sensitive information, including W-2s and banking details of University employees.

The University of Virginia said on Friday that hackers managed to break into a “component” of an HR system and access sensitive information, including W-2s and banking details of University employees.

In a security incident notice, the University said the FBI recently notified the University of a data breach following a law enforcement investigation, which resulted in suspects overseas involved in the incident being taken into custody.

“In collaboration with the FBI, the University confirmed that unauthorized individuals illegally accessed a component of our human resources system, exposing personally identifiable information of a subset of Academic Division employees,” the notice said.

According to the University, the attack came via a phishing email scam by which the attackers sent emails asking recipients to click on a link and provide user names and passwords.

After successfully gaining valid user credentials, the cybercriminals were able to gain access to the HR system and the W-2s of approximately 1,400 employees. Additionally, direct deposit banking information of 40 employees was accessed.

After investigating the incident, it was determined that the attackers gained access to the HR records beginning in early November 2014, with the last suspected intrusion occurring in early February 2015.

Fortunately, the breach affected a small percentage of the 20,000 people employed by the University. 

“Phishing attacks have plagued and ravaged institutions for years, and will only escalate in 2016,” Adam Levin, Chairman and Founder of IDT911, told SecurityWeek. “While we don’t have intimate knowledge of the specific security protocols at UVA, it is clear that even if their IT and Information Security departments did everything right, one or more employees who click on a malicious link can be unwitting co-conspirators in the compromise of a database holding the personal information of countless individuals.”

“Even though this was a relatively small breach, the implications to the victims can be very far-reaching,” said Paul Martini, CEO of iboss Cybersecurity. “Personal and financial information, like the bank documents and Social Security Numbers stolen in the University of Virginia hack, is very lucrative for hackers to sell on the black market. This is another reminder that even sophisticated networks need to improve their safeguards against data breaches by focusing on stopping malware from stealing information after a hacker has infiltrated the network.”

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...