Personally identifiable and financial information of some 1,400 University of Virginia employees has been compromised by attackers in a breach that dates back to early November 2014.
“In collaboration with the FBI, the University confirmed that unauthorized individuals illegally accessed a component of our human resources system, exposing personally identifiable information of a subset of Academic Division employees. The exposure does not include UVA Medical Center information as it is on a separate system,” the University said in a statement published on Friday.
“The incident is the result of a ‘phishing’ email scam by which the perpetrators sent emails asking recipients to click on a link and provide user names and passwords. Once the perpetrators were able to gain access to the HR system, W-2s of approximately 1,400 employees (for years 2013 and 2014) and the direct deposit banking information of 40 employees were accessed.”
Also on Friday, the University began notifying affected employees via email and snail mail.
The statement also notes that the persons suspected to have been involved in this incident have been arrested overseas, but the University offered no details on their number, identities, or current location.
The University also made sure to point out that this incident was in no way related to a previous cyber attack originating from China of portions of the University’s IT systems that was discovered in August.
“The University did receive several employee reports last Spring of tax fraud. The incidents were investigated and the information available to officials at that time did not indicate the fraud occurred as a result of any data exposure. However, this latest investigation by the FBI does suggest that some of the previously reported instances of tax fraud may be a result of the actions of these perpetrators,” the University said.
Affected employees will be receiving a one year of free credit monitoring and identity protection services.