The FBI recently notified the University of Virginia of a data breach following a law enforcement investigation, which resulted in suspects overseas involved in the incident being taken into custody. The attack was done via a phishing email scam, which asked users to click on a link and provide their user name and password.
The cybercriminals were able to gain access to the University's HR system and the W-2s of 1,400 employees as well as direct deposit banking information of 40. Further investigation revealed that the attackers gained access to the system in November of 2014, with the last suspected intrusion being in February 2015.
Chairman and Founder of IDT911, Adam Levin stated, "While
we don't have intimate knowledge of the specific security protocols at
UVA, it is clear that even if their IT and Information Security
departments did everything right, one or more employees who click on a
malicious link can be unwitting co-conspirators in the compromise of a
database holding the personal information of countless individuals.”
This article proves once again the importance of Information Security Awareness in an organization. In this case, the employees who fell for the phishing attack could have prevented the hack. But they can't be completely at fault. I'd also raise a few questions to the organization's Chief Information Security Officer (CISO) or Security Manager. What type of Infosec Awareness training is in-place?; How often are employees required to go through the training?; What can be done to minimize or even prevent an incident like this from happening again? Employees and users in general must understand that security starts with them.
Reference:
http://www.securityweek.com/hackers-breach-university-virginia-hr-system
No comments:
Post a Comment