Hackers access personal info on faculty members at Univ. of Virginia

Computerworld - About 6,000 current and former University of Virginia (UVa) faculty members are being notified that their names, Social Security numbers and birth dates may have been stolen by computer hackers between May 2005 and April 19 of this year.

In an announcement on Friday, the Charlottesville-based college said the security breach was discovered in an unidentified computer program. The statement said that no credit card, bank account or salary information was accessed, and no data involving students or nonfaculty employees was accessed.

The breach was fixed and the application was secured, according to the school, which said it is taking precautions to minimize future security risks on its systems.

The hackers accessed the personal information within a "special-purpose Web application," according to UVa. "The faculty information, which had been mistakenly included in the application's database, was not intended for public distribution."

"This information could not be accessed through everyday Web browsing," James Hilton, the university's CIO, said in a statement. "To find it required a relatively sophisticated and intentional attack on the database."

The university's Information Technology and Communications division learned of the breach during its ongoing Social Security number remediation efforts, according to the school. The database was removed on April 20, 2007, after an initial internal review was completed. Then, on May 22, programmers who maintain the Web site found that a hacker had defaced a page on the site. After securing the page, a more detailed review uncovered previous breaches dating back to 2005, the school said.

Investigators found that hackers broke into the system on 54 separate days between May 20, 2005, and April 19, 2007, accessing the records of 5,735 faculty members.

Shirley Payne, director for security and policy in the school's IT department, said she could not identify the exact Web application that was breached, but said "human error" allowed the data table containing the personal information to be included in a database linked to the application. "It really was not intended to provide this type of information, to deliver up this kind of information," Payne said. The data table was not viewable through a Web search but was accessed by hackers who entered the database and eventually found the linked data table, she said.

No suspects have been identified, and the incidents remain under investigation by the university's police department with assistance from the FBI and UVa's IT department.

The stolen data includes information on former faculty members who taught at the school from 1990 to 2003, as well as 2,100 current faculty members. Other information might have been included in some of the records, such as race, marital status, hire date, tenure date, tenure status, departmental affiliation, address, place of birth, employment history and academic matriculation.