Talk about excessive tardiness: Yale University yesterday disclosed that more than 10 years ago, an online intruder breached one of the Ivy League school's databases, which contained information on alumni, faculty and staff members.
Although the incident took place between April 2008 and January 2009, university officials apparently only discovered the incident last June 16 when IT staffers were "testing its servers for vulnerabilities and discovered a log that revealed the intrusion," according to an online post from the New Haven, Conn.-based university. "Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred," the university explained.
The affected data includes names, Social Security numbers, birth dates (in most cases), many Yale email addresses, and some mailing addresses. No financial information was accessed.
In response, Yale says that on July 26 and 27, it mailed a notification letter as many affected individuals as staffers could locate, and set up a response center, which will assist those who have not yet been located. Additionally, Yale has arranged for victims to receive identity monitoring services.
Yale said has significantly fortified its data security measures since 2009. For instance, it ceased using Social Security numbers as routine identifiers in 2005, placed limitations on how SSN can be shared within the university, and has been testing its data center servers to identify vulnerabilities. Moreover, the university routinely deletes personal data deemed old and unnecessary. The data that was impacted in this incident was actually detected in 2011, noted Yale; however, by then the breach had already occurred.
DataBreaches.net reports that roughly 119,000 individuals were affected, although it is not evident where the site sourced that information.
"Back in 2008-2009 very few companies were aware of such a cyber threat, nor were they taking the necessary precautions. I am not surprised that more companies and educational institutions have not come forward to divulge breaches that happened in the distant past," said Mark Zurich, senior director of technology at Synopsis. "Perhaps they do not feel obligated to do so after a certain point. That being said, Yale is doing the right thing by making this breach public. This may,and should, wake up more educational institutions to the danger."
“Yale University is taking steps to help amend the potential damage of this breach by advancing the forensic investigation and contacting all affected parties as soon as possible," added Ryan Wilk, vice president at, NuData, a Mastercard company. On the flip side, although financial information was not exposed, even having your Social Security number, name, address, and date of birth stolen can still cause problems."