Virginia Tech announced Tuesday morning that a human resource server had been illegally accessed, potentially compromising over 16,000 job applicants drivers license numbers.
The server contained sensitive information on 144,963 people who applied for positions at Tech between 2003 and 2013.
Last week, Associate Vice President for Human Resources Hal Irvin, sent a letter to 16,642 people whose personal information, including name and drivers' license numbers, may have been accessed on Aug. 28, 2013.
University officials were notified in August by an email stating the server was involved in questionable activity.
The other 128,321 applicants were not personally notified because their information on the server consisted of standard employment applicant information, by which no credit card, date of birth or social security information was compromised.
According to Larry Hincker, associate vice president for University Relations, the attack was the result of human error in policy and protocol when dealing with sensitive information.
A forensics investigation determined that the information was accessed partly through a Tech server in Italy.
"The issue here is that someone on our staff goofed,” said Hincker. “There really are no changes to be made to the protocol. We have well-understood policies and procedures with respect to securing data."
University IT Security Officer, Randy Marchany, monitors and responds to cyber attacks against VT computers and IT services.
“The Administrator account password did not follow VT's password strength rules,” said Marchany, regarding how the attack was possible. “(It) was trivial and easy to guess.”
Going forward, Hincker says it’s just a matter of doing the right thing. “We’re going to do what's appropriate and what’s right as well as what’s required by law,” Hincker said.
The only action the university was obligated to take by law was to inform the individuals of the potential threat to their security.
However, in response to the attack, Tech is providing identity insurance and access to a credit monitoring service for a year to individuals whose driver's license numbers were accessible during the attack.
Depending on an individual's choice of company, between Equifax, TransUnion and Experian, each insurance policy is about $15-20 per person, which will end up costing the university thousands of dollars.
Though attempts to hack into Tech systems occur daily, Tech’s Standards for Storing and Transmitting Personally Identifying Information, along with the IT department, have prevented a large-scale hack of this nature in the past.
Virginia Tech had a breach in 2011 when malware was loaded on a Tech system and attempted to search the computer for social security numbers and other information.
Marchany admits that the main effect of this incident is reputational damage to the university.
“Protecting your sensitive data is a critical mission of the University,” Marchany said. “At the same time, individuals must take the same precautions to protect their personal info on their own computers.”
“Data breaches (like this one) are widespread and usually caused by something minor such as a weak password or a stolen laptop with unencrypted sensitive data,” Marchany said.
Marchany reassured that the IT security department was well equipped to handle the attack.
“We were prepared to respond to such incidents and took steps immediately to disconnect the system from the network,” Marchany said. “Our cybersecurity monitors gave us the information needed to piece together what happened and determine where the attacks originated.”
According to Marchany, the investigation is closed and IT officials believe it was a random probe that found a hole in the system due to a weak password.