Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Breach University of Virginia HR System

The University of Virginia said on Friday that hackers managed to break into a “component” of an HR system and access sensitive information, including W-2s and banking details of University employees.

The University of Virginia said on Friday that hackers managed to break into a “component” of an HR system and access sensitive information, including W-2s and banking details of University employees.

In a security incident notice, the University said the FBI recently notified the University of a data breach following a law enforcement investigation, which resulted in suspects overseas involved in the incident being taken into custody.

“In collaboration with the FBI, the University confirmed that unauthorized individuals illegally accessed a component of our human resources system, exposing personally identifiable information of a subset of Academic Division employees,” the notice said.

According to the University, the attack came via a phishing email scam by which the attackers sent emails asking recipients to click on a link and provide user names and passwords.

After successfully gaining valid user credentials, the cybercriminals were able to gain access to the HR system and the W-2s of approximately 1,400 employees. Additionally, direct deposit banking information of 40 employees was accessed.

After investigating the incident, it was determined that the attackers gained access to the HR records beginning in early November 2014, with the last suspected intrusion occurring in early February 2015.

Fortunately, the breach affected a small percentage of the 20,000 people employed by the University. 

“Phishing attacks have plagued and ravaged institutions for years, and will only escalate in 2016,” Adam Levin, Chairman and Founder of IDT911, told SecurityWeek. “While we don’t have intimate knowledge of the specific security protocols at UVA, it is clear that even if their IT and Information Security departments did everything right, one or more employees who click on a malicious link can be unwitting co-conspirators in the compromise of a database holding the personal information of countless individuals.”

“Even though this was a relatively small breach, the implications to the victims can be very far-reaching,” said Paul Martini, CEO of iboss Cybersecurity. “Personal and financial information, like the bank documents and Social Security Numbers stolen in the University of Virginia hack, is very lucrative for hackers to sell on the black market. This is another reminder that even sophisticated networks need to improve their safeguards against data breaches by focusing on stopping malware from stealing information after a hacker has infiltrated the network.”

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.