BreachExchange mailing list archives
Virginia Tech hack caused by human error, official says [The Roanoke Times, Va.]
From: Lee J <lee () riskbasedsecurity com>
Date: Wed, 25 Sep 2013 10:57:09 +1000
http://www.tmcnet.com/usubmit/2013/09/24/7434727.htm (Roanoke Times (Roanoke, VA) Via Acquire Media NewsEdge) Sept. 24--Human error is to blame for a successful cyber-attack on a Virginia Tech's human resources department that exposed sensitive information of about 145,000 job applicants, a university spokesman said. Tech announced today that a computer server in the department was illegally accessed Aug. 28. Letters were sent over the weekend to about 17,000 people who, in applying for a job between 2003 and 2013 had put drivers' license numbers on their applications for employment, according to a university news release. The other about 128,000 applicants -- some now employed by the university -- who included employment and educational history and resumes, Tech spokesman Larry Hincker said. Virginia law defines such information as private and requires that institutions notify people if such data is compromised. The information leak was not a failure in the university's security system, according to Hincker. "We have protections and protocols in place" to prevent hackers from accessing sensitive information, he said. "They were not followed. It was human error." That error allowed a hacker or hackers to access a database containing a decade's worth of applicant information. So far as officials can discern, no social security numbers, credit card information or dates of birth were accessed, according to a university news release. For those whose drivers' license numbers were accessed, the university is offering a year of free credit monitoring services. The university also suggests precautions such as placing a "fraud alert" on file with credit monitoring agencies. These 90-day alerts are meant to intercept identity theft attempts. The information leaks varied by job category, according to the news release. "Faculty applicants are asked to provide minimal information on the online application, so no employment or education history was on the server. For staff applicants, employment and education history was on the server. "Applicants typically attach documents (resumes, for example) to their online application. No attached documents for any of the 144,963 individuals were on the server," the release stated. Historically, Tech receives about 20,000 job applications a year. But in recent years, Hincker said that number has gone as high as 50,000. The university fends off thousands of daily cyber-attacks, he said. But reports of successful attacks leading to large-scale data leaks have been uncommon at Tech. In 2011, a data mining virus dubbed "Zeus" that emptied bank accounts in the United Kingdom was found to have infected a computer in Tech's controller's office. That computer stored Social Security numbers and some financial transaction information on current and former Tech employees. About 370 people were affected by the virus, and they were offered free credit monitoring services. At the time, university officials said they knew of no identity theft incidents stemming from that attack.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Virginia Tech hack caused by human error, official says [The Roanoke Times, Va.] Lee J (Sep 27)