June 8, 2007 — The University of Virginia has discovered a security breach in one of its computer applications that resulted in exposure of sensitive information belonging to current and former U.Va. faculty members. The information included names, Social Security numbers and dates of birth. No credit card, bank account or salary information was involved in the incident.
As soon as this breach was discovered, the vulnerability was corrected and a thorough investigation was instituted. This criminal investigation is being conducted by University Police in consultation with the FBI and the University’s computing and audit professionals. The investigation has revealed that on 54 separate days between May 20, 2005 and April 19, 2007, hackers tapped into the records of 5,735 faculty members. No suspects have been identified.
No data pertaining to students or the University’s non-faculty employees were exposed.
University officials are warning affected current and former faculty members that the hackers could use the stolen information to set up fraudulent bank or credit card accounts and are urging them to monitor their credit reports closely. The University is offering one year of free credit monitoring to those affected.
All current faculty whose records were exposed in this breach have been notified. The University is continuing to work to notify former faculty members who were affected.
Those affected include anyone who taught or had any faculty designation (academic, administrative or adjunct) at the University or at the College at Wise from approximately 1990 to August 2003. Of those whose records were accessed, about 2,100 are currently employed at U.Va. The University is contacting those affected through both the U.S. Postal Service and electronic mail. Additionally, it has established an informational Web page.
Former and current faculty members also can check whether they were affected by calling a toll-free number, (866) 621-5948, between 8 a.m. and 5 p.m. on weekdays, as well as on Saturday, June 9. Those who prefer to e-mail their questions or concerns should send them to firstname.lastname@example.org. The University particularly encourages former faculty members, whose last contact information may be out of date, to make an inquiry.
“We sincerely regret the distress this causes to our colleagues,” said James Hilton, U.Va.’s vice president and chief information officer. “This theft adds greater urgency to our ongoing effort to remove from databases Social Security numbers and other personal information that could be accessed through the Internet and later potentially abused. The University is continually modifying its systems and practices to enhance the security of sensitive information and training its employees in data protection.”
Investigators believe that the hackers accessed the information in a special-purpose Web application. The faculty information, which had been mistakenly included in the application’s database, was not intended for public distribution.
“This information could not be accessed through everyday Web browsing,” Hilton said. “To find it required a relatively sophisticated and intentional attack on the database.”
The University’s Information Technology and Communications division first discovered the existence of the database as part of its Social Security number remediation efforts and removed it on April 20, 2007, after concluding an initial internal review.
On May 22, programmers who maintain the site discovered -- in a separate, unrelated incident -- that a hacker had defaced a page on the site. After the database was secured, programmers continued reviewing server logs to investigate that attack more thoroughly. On May 29, the earlier breaches were discovered.