University of Virginia Breached by Phishing Attack

The University of Virginia (UVA) recently began notifying more than 1,400 of its Academic Division employees that their data was exposed as a result of a successful phishing attack.

The FBI alerted the university to the breach, which happened between November 2014 and February 2015.

“Suspects overseas involved in this incident are in custody,” UVA said in a statement.

The attackers accessed part of the university’s human resources system, exposing the W-2 tax forms for approximately 1,400 employees from 2013 and 2014, and the direct deposit banking information of 40 employees. In total, UVA employs over 20,000 people.

All those affected are being offered one free year of credit monitoring and identity protection services. Employees with questions are advised to contact (855) 907-3155.

“The incident is the result of a ‘phishing’ email scam by which the perpetrators sent emails asking recipients to click on a link and provide user names and passwords,” the university noted.

UVA, like many organizations, is a frequent target of phishing attacks — a recent security alert lists over two dozen examples of phishing emails currently targeting UVA users.

Following the breach, the university says it received several employee reports of tax fraud last spring. “The incidents were investigated and the information available to officials at that time did not indicate the fraud occurred as a result of any data exposure,” UVA stated. “However, this latest investigation by the FBI does suggest that some of the previously reported instances of tax fraud may be a result of the actions of these perpetrators.”

IDT911 chairman and founder Adam Levin told eSecurity Planet that phishing attacks will inevitably escalate in 2016. “While we don’t have intimate knowledge of the specific security protocols at UVA, it is clear that even if their IT and Information Security departments did everything right, one or more employees who click on a malicious link can be unwitting co-conspirators in the compromise of a database holding the personal information of countless individuals,” he said.

“This is why it is imperative that organizations need to practice the three Ms: minimize the risk of exposure, continuously monitor systems, and have a breach response program in place that can help manage the damage,” Levin added.

According to a recent Cloudmark survey of 300 IT decision makers in the U.S. and U.K., more than 84 percent of organizations have been breached by a spear phishing attack. Survey respondents estimated the financial impact of spear phishing to their organization to be more than $1.6 million in the past year alone.

Recent eSecurity Planet articles have looked at the challenge of securing corporate data in a post-perimeter world, and offered advice on defeating phishing attacks.