Hacking Incident Affects 176,000
Virginia Commonwealth University's Servers BreachedOn Oct. 24, routine monitoring of servers uncovered suspicious files on one device, according to a statement from the Richmond, Va.-based university. The server was taken offline, and a forensic investigation launched. The vulnerabilities were corrected, and officials determined no personal data was stored on the server involved.
Five days later, however, VCU's continuing investigation revealed two unauthorized accounts had been created on a second server, which was taken offline. An analysis determined the intruders had compromised this device through the first server. The hackers were on this second server "a short period of time and appeared to do nothing other than create the two accounts."
The second server contained names, Social Security numbers and, in some cases, dates of birth, contact information and "various programmatic or departmental information," according to the statement.
The university will offer free credit monitoring to those who request it, it notes on a website created to offer additional information about the hacker incidents. It states: "We believe that there is a very low likelihood that personal data was exposed or that there is a risk of identity theft. Therefore, we are not automatically offering identity protection services to all 176,000 individuals in this incident. However, for the peace of mind of concerned students, employees and affiliates, the university will honor individual requests for these services."
The website also provides details about the university's security steps. "The first server has been moved behind the university firewall, and the vulnerabilities that were present on both servers have been patched. Additional monitoring has also been put in place for these servers. Both the university and VCU Health System had already planned to engage external consulting firms to perform extensive security assessments to determine if any systems are at risk for unauthorized access. This testing will be expedited, and the results used to determine additional appropriate actions."
VCU said it's continuing its investigation, working with local and federal law enforcement agencies.