About 6,000 current and former University of Virginia (UVa) faculty members are being notified that their names, Social Security numbers and birth dates may have been stolen by computer hackers between May 2005 and April 19 of this year.
In an announcement on Friday, the Charlottesville-based college said the security breach was discovered in an unidentified computer program. The statement said that no credit card, bank account or salary information was accessed, and no data involving students or non-faculty employees was accessed.
The breach was fixed and the application was secured, according to the school, which said it is taking precautions to minimize future security risks on its systems.
The hackers accessed the personal information within a "special-purpose Web application," according to the university. "The faculty information, which had been mistakenly included in the application's database, was not intended for public distribution."
"This information could not be accessed through everyday Web browsing," James Hilton, the university's CIO, said in a statement. "To find it required a relatively sophisticated and intentional attack on the database." The university's Information Technology and Communications division learned of the breach as it was continuing its Social Security number remediation efforts, according to the school. The database was removed on April 20, 2007 after initial internal review was completed. Then, on May 22, programmers who maintain the Web site found that a hacker had defaced a page on the site. After securing the page, a more detailed review uncovered previous breaches dating back to 2005, the school said.
Investigators found that hackers broke into the system on 54 separate days between May 20, 2005 and April 19, 2007, accessing records of 5,735 faculty members. No suspects have been identified and the incidents remain under investigation by the university's police department with assistance from the FBI and UVa's IT department.
Neither Hilton or another university spokesman could be reached for comment.
The stolen data includes information on former faculty members who taught at the school from 1990 to 2003 as well as 2,100 current faculty members. Other information might have been included in some of the records, such as race, marital status, hire date, tenure date, tenure status, departmental affiliation and address, place of birth, employment history, and academic matriculation.
All current faculty whose records were exposed have been notified, according to the university, while former faculty members who were affected are still being contacted by postal mail and e-mail. The university is offering one year of free credit monitoring to those affected. A special telephone hotline and Web site have also been established to provide additional information and assistance.
"We sincerely regret the distress this causes to our colleagues," Hilton said. "This theft adds greater urgency to our ongoing effort to remove from databases Social Security numbers and other personal information that could be accessed through the Internet and later potentially abused. The university is continually modifying its systems and practices to enhance the security of sensitive information and training its employees in data protection."
A letter from Hilton explaining what happened is also posted on the school's Web site.
Ad Choices