The University of Virginia (UVA) has notified approximately 1,400 of its employees that unauthorized individuals were able to access its HR system and the personal information of 1,400 employees of the Academic Division. The intruders launched a successful phishing attack asking for employees to provide user names and passwords. The successful phishing attack scored the W-2 forms (which includes names, addresses and Social Security numbers) of 1,400 employees and the direct deposit banking information of 40 employees from 2013 and 2014.

UVA was unaware of the intrusion, which occurred between early November 2014 and early February 2015. The FBI notified UVA following an “extensive law enforcement investigation.”

UVA is offering the affected individuals one year of free credit monitoring and identity protection services.

This is another example of how important training is for employees about phishing and spear phishing attacks. The attacks have become more sophisticated and the hackers are using social engineering to dupe employees into clicking on links and providing the keys to the company’s kingdom. Companies may wish to consider intensifying employee training to effectively combat these attacks, which have been on the rise for some time.