U-Va. Officials Announce Database Breach

By Susan Kinzie
Washington Post Staff Writer
Saturday, June 9, 2007

Hackers have been breaking into a University of Virginia database that included Social Security numbers and other personal information about faculty members over the past two years.

School officials announced the security breaches yesterday, about a week after they discovered that, on 54 days between April 2005 and April 2007, someone broke into the records for more than 5,700 faculty members. Officials warned professors to carefully watch their financial accounts and have offered a year of free credit monitoring to everyone affected.

"I'm concerned about it," said professor Brandt R. Allen, whose data were exposed. He said he had already been a little worried about online security: "We probably have a lot more breaking and entering than people realize."

Many schools have had similar problems, and many have changed the types of personal information they store. U-Va. was in the process of moving from Social Security numbers to university-issued identification numbers, spokeswoman Carol Wood said. The theft brings greater urgency to that effort.

Hackers got into an academic Web site that mistakenly included the database of professors' information, officials said.

The database included names, Social Security numbers and dates of birth, but not financial information such as credit card numbers or bank accounts. No students or non-faculty staff members were affected.

When officials sent out e-mail alerts, the names got mixed up, and the school had to send follow-up messages and post a clarifying note online: "If an e-mail came to your address, your information has been exposed -- even if the name in the salutation is not yours."

That did not inspire confidence, Allen said.

University police have launched a criminal investigation with assistance from the FBI and campus technology experts. The data have been removed and security has been shored up, according to school officials. But they are concerned that more than 3,500 of those affected no longer work at U-Va. and could be difficult to contact, so they hope former faculty members will check the school's Web site.

Allen checked his credit. So far, so good. "If this is the worst thing that happens to me today," he said, "I'll be okay."

© 2007 The Washington Post Company