Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/11/2007
08:02 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attackers Break Into UVA Database

Personal data on nearly 6,000 former and current faculty members at the University of Virginia was compromised

Hackers exploited a vulnerability in a University of Virginia Web application and gained access to personal data on nearly 6,000 former and existing faculty members there.

A Web design error apparently left a private database on "background pages" on the university's Website. Investigators believe the attackers got the information from a special-purpose Web application, in which the faculty information was mistakenly included in its database. The database contained names, Social Security numbers, and birth dates, and in the case of some faculty members, their race, marital status, tenure information, employment history, and other private information.

UVA's IT group first discovered the database on April 20, and removed it. It wasn't until a month later that they discovered the actual security breach after an unrelated Website defacement incident. During the period of May 20, 2005, and April 19, 2007, attackers gained access to personal records of nearly 6,000 faculty members who had worked at UVA from around 1990 to August 2003, as well as current faculty. Of the 6,000, 2,100 are now employed at the university.

IT officials at the university since have secured the application and removed the data that was breached. Like many other organizations in a long line of recent security breaches, UVA is offering free credit monitoring to the victims, as well as identity theft insurance.

James Hilton, UVA's vice president and CIO, said in a prepared statement that the attack was a sophisticated one. "The information could not be accessed through everyday Web browsing," he said. "To find it required a relatively sophisticated and intentional attack on the database."

The incident has prompted UVA to ramp up efforts it already had begun to remove Social Security numbers and other personal data from databases that can be reached via the Internet, according to Hilton. "The University is continually modifying its systems and practices to enhance the security of sensitive information and training its employees in data protection," he said in the statement.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8071
PUBLISHED: 2019-10-17
Adobe Download Manager versions 2.0.0.363 have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-10752
PUBLISHED: 2019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVE-2019-12611
PUBLISHED: 2019-10-17
An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that affects the general reliability of the product. Specially crafted packets sent to the miniupnpd implementation in result in the device allocating memory without freeing it later. This behavior can cause the miniupn...
CVE-2019-13657
PUBLISHED: 2019-10-17
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
CVE-2019-15626
PUBLISHED: 2019-10-17
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.