University of Virginia Targeted In Phishing Attack

The University of Virginia has revealed through notifications sent to its employees that their data was exposed as a consequence of a targeted and successful phishing attack.

A public security advisory posted by the academic institution late last week confirmed that malicious attackers targeted and stole a component of the university’s human resources system. This has led to the breach of information of some 1,400 Academic Division employees.

The attackers gained access to the W-2 tax forms for the employees at the University between 2013 and 2014. They were also able to obtain the direct deposit banking information of 40 employees.

The data breach occurred after it was revealed that a malicious email triggered the successful phishing attack, either sent in bulk or specifically toward specific targeted employees whose computers have a higher security clearance than most others. The University of Virginia confirmed that the phishing email campaign actively sought credentials such as usernames and passwords to the human resource system.

“The incident is the result of a ‘phishing’ email scam by which the perpetrators sent emails asking recipients to click on a link and provide user names and passwords,” the University confirmed.

As things stand, there is no evidence to show that the University’s medical center information was compromised, with health records being a common target for cybercriminals.

The University recounts the original attack to have occurred as early as November 2014, with the last known cyber intrusion taking place nearly a year ago in February 2015.

Further details revealed that this particular attack bore no resemblance to a previous attack suffered by the university’s IT systems in June 2015. At the time, the attacks were revealed to be from China and they focused on two email accounts of employees working with Chinese nationals. As a direct consequence of the China-based attacks, the University had upgraded all affected systems and improved its cybersecurity measures.

Related article: Rutgers University to Spend $3 Million on Cybersecurity

As it turns out so often however, human vulnerabilities still remain among the most frequent methods of exploit for malicious operators out there. This time, it was no different.

The incident affected just under 1,500 employees, while the University employs more than 20,000.

Additionally, the University also revealed that the FBI were notified of the data breach and suspects overseas are already in custody.

The institution has since reset the employee passwords and has requested that they change their passwords to a strong password. The University began notifying those affected via email and US mail. Victims are also assured a year’s worth of identity protection services and credit monitoring for free.

Image credit: Wikimedia.