Faculty members at the University of Virginia have had their personal records hacked, including salary details and social security numbers.

The hack, which is believed to have gone undetected for two years, netted details on over 6,000 staff who had taught at the university from 1990 to August 2003.

The hacker defaced a web page on the university's portal and when IT staff cleaned up they found evidence of the attack.

"We sincerely regret the distress this causes to our colleagues," said James Hilton, vice president and chief information officer at the University of Virginia.

"This theft adds greater urgency to our ongoing effort to remove Social Security numbers and other personal information from databases that could be accessed through the internet and potentially abused.

"The University is continually modifying its systems and practices to enhance the security of sensitive information and training its employees in data protection."

But experts have expressed surprise that the hacking attack went undiscovered for so long.

"Security system failures are becoming a fact of life in the modern IT environment, especially when IT managers rely on a single security technology to protect their systems," said Phil Higgins, a senior partner with IT consultancy Brookcourt Solutions.

"But a failure lasting two years? Come on. Modern day hackers, as shown by the University of Virginia hack, are sophisticated internet users, and it takes a sophisticated best of breed multi-product approach to tackle the problem."