Computer hackers accessed personally identifiable information and financial details belonging to around 1,400 University of Virginia workers as part of an email phishing scam, the University announced. An internal investigation determined that the culprits first accessed the stolen records in early November 2014 and continued to pluck private data up through early February 2015.
Stephen Coty, chief security evangelist at Alert Logic says: “This breach originated in the HR department, in what seems to have been a spoofed email from their IT department asking for the infected employee(s) to enter their username and password. This affected about 1,400 employees, and the data included their W-2's and some financial data related to direct deposit. There has been an upswing of infection related to non-technical departments, like HR and Finance, over the past few years.
This is a rookie hack, with rookie results. To do something like this at a University would not take a lot of effort. This is a typical, successful phishing campaign. UVA should be checking their email filters to confirm that they are scanning for attachments. How sure are they that the attacker is no longer on their network? Have they deployed a solid security in-depth strategy? Are they monitoring their network for intrusion 24/7/365? Do they have students managing their security posture or are they using professionals from a managed security service?
Why did this attack happen? It is because they are successful. A non technical person is more likely to click on a phishing email than a technical resource, who would know what to check for in case of infection.
Retraining all of their staff on cyber security is essential, as is increasing the frequency of this sort of training from once a year to one a quarter. Make it a series of lunch and learns; bringing in outside professionals to speak in order to pique the interest of work and home threats so there is awareness.”