Virginia Tech hack caused by human error, official says [The Roanoke Times, Va.]

[Lee J <lee () riskbasedsecurity com>]

http://www.tmcnet.com/usubmit/2013/09/24/7434727.htm

(Roanoke Times (Roanoke, VA) Via Acquire Media NewsEdge) Sept. 24--Human
error is to blame for a successful cyber-attack on a Virginia Tech's human
resources department that exposed sensitive information of about 145,000
job applicants, a university spokesman said.

Tech announced today that a computer server in the department was illegally
accessed Aug. 28. Letters were sent over the weekend to about 17,000 people
who, in applying for a job between 2003 and 2013 had put drivers' license
numbers on their applications for employment, according to a university
news release.

The other about 128,000 applicants -- some now employed by the university
-- who included employment and educational history and resumes, Tech
spokesman Larry Hincker said.


Virginia law defines such information as private and requires that
institutions notify people if such data is compromised.

The information leak was not a failure in the university's security system,
according to Hincker.

"We have protections and protocols in place" to prevent hackers from
accessing sensitive information, he said. "They were not followed. It was
human error." That error allowed a hacker or hackers to access a database
containing a decade's worth of applicant information.

So far as officials can discern, no social security numbers, credit card
information or dates of birth were accessed, according to a university news
release.

For those whose drivers' license numbers were accessed, the university is
offering a year of free credit monitoring services. The university also
suggests precautions such as placing a "fraud alert" on file with credit
monitoring agencies. These 90-day alerts are meant to intercept identity
theft attempts.

The information leaks varied by job category, according to the news
release. "Faculty applicants are asked to provide minimal information on
the online application, so no employment or education history was on the
server. For staff applicants, employment and education history was on the
server.

"Applicants typically attach documents (resumes, for example) to their
online application. No attached documents for any of the 144,963
individuals were on the server," the release stated.

Historically, Tech receives about 20,000 job applications a year. But in
recent years, Hincker said that number has gone as high as 50,000.

The university fends off thousands of daily cyber-attacks, he said.

But reports of successful attacks leading to large-scale data leaks have
been uncommon at Tech.

In 2011, a data mining virus dubbed "Zeus" that emptied bank accounts in
the United Kingdom was found to have infected a computer in Tech's
controller's office. That computer stored Social Security numbers and some
financial transaction information on current and former Tech employees.
About 370 people were affected by the virus, and they were offered free
credit monitoring services.

At the time, university officials said they knew of no identity theft
incidents stemming from that attack.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.