Cyber Incident Victim: University of Virginia
Date:
Nov 2014
Location:
United States of America
Summary
A phishing attack targeting the University of Virginia's human resources department compromised employee credentials, enabling unauthorized access to internal systems. The breach exposed W-2 tax forms for approximately 1,400 academic division employees and direct deposit banking details for 40 individuals, though medical center data remained unaffected due to separate systems. Following an FBI investigation that resulted in arrests, the institution notified impacted staff and offered a year of credit monitoring and identity protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The University of Virginia experienced a data breach compromising employee financial information after cyberattackers infiltrated its human resources department network. The breach originated from a phishing campaign targeting university employees, where attackers sent deceptive emails soliciting HR system usernames and passwords. At least one or more employees provided their credentials, granting unauthorized access to the attackers. The intrusion period spanned from early November 2014 to early February 2015, with the attackers exploiting compromised credentials to access a component of the HR system. This access exposed sensitive data including 2013 and 2014 W-2 tax forms for approximately 1,400 Academic Division employees and direct deposit banking details for 40 employees. The university confirmed UVA Medical Center systems remained unaffected due to their physical separation from the compromised HR infrastructure. While the breach occurred over a three-month period, the university delayed public disclosure until January 22, 2016, when it began notifying impacted staff.
The FBI led the investigation, resulting in the arrest of multiple suspects whose identities and exact numbers remain undisclosed. University officials coordinated with federal investigators throughout the process, citing this collaboration as the reason for the delayed notification timeline. Affected employees received offers for one year of complimentary credit monitoring and identity protection services. No evidence emerged suggesting misuse of the stolen data prior to containment. The university's advisory emphasized that disclosure occurred "as soon as it was practical" given investigative constraints, though the nearly 14-month gap between the last intrusion and notification drew implicit criticism for its lateness. Forensic analysis confirmed the attackers exclusively targeted Academic Division HR data through credential theft, with no lateral movement to other university systems or medical center networks detected during the incident lifecycle.