Hacking Incident Affects 176,000

Virginia Commonwealth University's Servers Breached
Hacking Incident Affects 176,000
Servers at Virginia Commonwealth University were recently hacked, potentially exposing Social Security numbers for more than 176,000 faculty, staff, students and affiliates at the university and the VCU Health System. No patient information was involved.

On Oct. 24, routine monitoring of servers uncovered suspicious files on one device, according to a statement from the Richmond, Va.-based university. The server was taken offline, and a forensic investigation launched. The vulnerabilities were corrected, and officials determined no personal data was stored on the server involved.

Five days later, however, VCU's continuing investigation revealed two unauthorized accounts had been created on a second server, which was taken offline. An analysis determined the intruders had compromised this device through the first server. The hackers were on this second server "a short period of time and appeared to do nothing other than create the two accounts."

The second server contained names, Social Security numbers and, in some cases, dates of birth, contact information and "various programmatic or departmental information," according to the statement. Credit Monitoring

The university will offer free credit monitoring to those who request it, it notes on a website created to offer additional information about the hacker incidents. It states: "We believe that there is a very low likelihood that personal data was exposed or that there is a risk of identity theft. Therefore, we are not automatically offering identity protection services to all 176,000 individuals in this incident. However, for the peace of mind of concerned students, employees and affiliates, the university will honor individual requests for these services."

The website also provides details about the university's security steps. "The first server has been moved behind the university firewall, and the vulnerabilities that were present on both servers have been patched. Additional monitoring has also been put in place for these servers. Both the university and VCU Health System had already planned to engage external consulting firms to perform extensive security assessments to determine if any systems are at risk for unauthorized access. This testing will be expedited, and the results used to determine additional appropriate actions."

VCU said it's continuing its investigation, working with local and federal law enforcement agencies.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network