Hackers accessed numerous computer records containing personally identifiable information belonging to University of Virginia employees, part of a “phishing” scam that also included some bank records, school officials announced Friday.
An FBI investigation into data exposure at several U.S. colleges and universities found that overseas hackers, who are now in custody, gained access to records for 1,400 U-Va. employees, including W-2 tax forms from 2013 and 2014, U-Va. officials said in a statement. The direct deposit bank records for 40 employees also were stolen, U-Va. officials said.
“The University regrets that the personal information of these employees was accessed and has already taken steps to fortify its systems to prevent this from occurring in the future,” Patrick Hogan, the university’s executive vice president and chief operations officer, said in a statement. “The security of personal information and data is a top priority of the University and our IT professionals will continue to remain vigilant and work to further enhance our IT security infrastructure and systems.”
The data breach involved the use of a “phishing” scheme, where hackers sent emails to university staffers asking them to click on a link and provide their account log-in information and passwords. The W-2 forms hacker stole likely include personally identifiable information such as home addresses and social security numbers.
The university, located in Charlottesville, Va., employs 20,000 people. The hack affected staffers in the university’s academic division; they have been notified that their information was compromised and will receive free credit monitoring and identity protection services for one year, U-Va. officials said.
U-Va. officials said the data exposure is the second invasion of university IT systems in the past six months. In June, Chinese hackers attacked U-Va.’s IT network, but officials said the most recent breach is not related to the one from last summer.
Universities compile and store personal information for thousands of people, and they, like the federal government, have become regular targets for computer hackers.
Hackers two years ago accessed more than 300,000 personal records for faculty, staff and students who received identification cards at the University of Maryland between 1998 and 2014, an outside computer breach that compromised Social Security numbers, dates of birth and university identification numbers.
A former contract worker for the U-Md. said he also hacked into the school’s computer system in March 2014, accessing student grade-point averages and employee Social Security numbers and contact information. That hacker posted the university’s president’s “private information” online to draw attention to security problems at the school.