The University of Virginia is notifying about 6,000 current and former faculty members that their names, Social Security numbers, birth dates and other personal information may have been stolen by computer hackers between May 2005 and April of this year.
The university announced June 8 that a hacker, or hackers, had breached a "special-purpose web application" that mistakenly included a link to a data table containing a variety of information about University of Virginia faculty members. Investigators found that the system was broken into 54 times between 20 May, 2005, and 19 April, 2007, and that the records of 5,735 faculty members were accessed.
Shirley Payne, director of security coordination and policy in the university's IT department, said in an interview this week that "human error" was to blame for the table being linked to the web application.
The application "really was not intended to deliver up this kind of information", Payne said. She added that the data table couldn't be viewed through Web searches. The hackers accessed it by breaking into the application's database and eventually finding the linked table, she said.
CIO James Hilton said in a statement included in the university’s announcement that finding the data table "required a relatively sophisticated and intentional attack on the database."
The apparent theft "adds greater urgency to our ongoing effort to remove from databases Social Security numbers and other personal information that could be accessed through the Internet and later potentially abused," Hilton added.
The school said workers in the Office of Information Technology and Communication discovered the breach as part of the ongoing Social Security number remediation effort.
The connection to the data table was removed on 20 April after an initial internal review. Then, on 22 May, programmers who maintain the school's website found that a hacker had defaced a page. After the page was secured, a more detailed security review uncovered breaches of the data table dating back to 2005, University of Virginia said.
No data related to students or employees other than faculty members was accessed, according to the university, which said it is taking unspecified precautions to minimise future security risks on its systems.