Due to the weather, some customers may experience late delivery of The Roanoke Times. We apologize for the delay.
The cyber-attack exposed sensitive information of about 145,000 job applicants at the university.
Wednesday, September 25, 2013
Human error is to blame for a successful cyber attack on Virginia Tech’s human resources department that exposed sensitive information of about 145,000 job applicants, a university spokesman said.
Tech announced Tuesday that a computer server in the department was illegally accessed Aug. 28. Letters were sent over the weekend to about 17,000 people who, in applying for jobs between 2003 and 2013, had put driver’s license numbers on their applications for employment, according to a university news release.
The other approximately 128,000 applicants — some now employed by the university — who included employment and educational history and resumes were also affected, Tech spokesman Larry Hincker said.
Virginia law defines such information as private and requires that institutions notify people if such data are compromised.
The information leak was not a failure in the university’s security system, Hincker said.
“We have protections and protocols in place” to prevent hackers from accessing sensitive information, he said. “They were not followed. It was human error.”
That error allowed a hacker or hackers to access a database containing a decade’s worth of applicant information.
So far as officials can discern, no social security numbers, credit card information or dates of birth were accessed, according to a university news release.
For those whose driver’s license numbers were accessed, the university is offering a year of free credit monitoring services. The university also suggests precautions such as placing a “fraud alert” on file with credit monitoring agencies. These 90-day alerts are meant to intercept identity theft attempts.
The information leaks varied by job category, according to the news release. “Faculty applicants are asked to provide minimal information on the online application, so no employment or education history was on the server. For staff applicants, employment and education history was on the server.
“Applicants typically attach documents (resumes, for example) to their online application. No attached documents for any of the 144,963 individuals were on the server,” the release said.
Historically, Tech receives about 20,000 job applications a year. But in recent years, Hincker said that number has gone as high as 50,000.
The university fends off thousands of cyber attacks daily, he said. An eight-person team within the university’s information technology division leads cybersecurity efforts. The team’s annual budget is about $400,000, just less than half of the approximately $1 million IT budget, Hincker said.
Reports of successful attacks leading to large-scale data leaks have been uncommon at Tech.
In 2011, a data mining virus dubbed “Zeus” that emptied bank accounts in the United Kingdom was found to have infected a computer in Tech’s controller’s office. That computer stored Social Security numbers and some financial transaction information on current and former Tech employees. About 370 people were affected by the virus, and they were offered free credit monitoring services.
At the time, university officials said they knew of no identity theft incidents stemming from that attack.
Weather JournalNew batch of moisture for PM