Data Security Breach at University of Virginia, Hackers Access Social Security Numbers of 5,735 Faculty Members
The University of Virginia has issued a press release (http://www.virginia.edu/uvatoday/newsRelease.php?id=2217) confirming a data security breach that occurred between May 20, 2005 and April 19, 2007. During this time period the University's ongoing investigation has uncovered that hacker's were able to access the names, social security numbers, and dates of birth affecting 5,735 faculty members.
Currently the University of Virginia Police coordinating with the U.S. Federal Bureau of Investigation (FBI) on the ongoing criminal investigation. Initial findings suggest that the hackers were able to retrieve the information from a database through sophisticated web application attacks. In simple terms, the hackers manipulated an Internet facing web application to retrieve the personal information from an internal database server.
This fact is not surprising considering the rise in application layer attacks in recent years. Most organizations fail to adequately secure web applications or test them for exploitable vulnerabilities. Organizations, including Universities, should do more to test web applications for vulnerabilities that could allow attackers to escalate their privileges and attempt to gain unauthorized access to sensitive databases. Application security testing is not the final answer in the "arms race" between security professionals and attackers, but it is a step in the correct direction.
Comments