Breach, Threat Management, Data Security

Old school: Yale discloses breach from more than 10 years ago

Talk about excessive tardiness: Yale University yesterday disclosed that more than 10 years ago, an online intruder breached one of the Ivy League school's databases, which contained information on alumni, faculty and staff members.

Although the incident took place between April 2008 and January 2009, university officials apparently only discovered the incident last June 16 when IT staffers were "testing its servers for vulnerabilities and discovered a log that revealed the intrusion," according to an online post from the New Haven, Conn.-based university. "Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred," the university explained.

The affected data includes names, Social Security numbers, birth dates (in most cases), many Yale email addresses, and some mailing addresses. No financial information was accessed.

In response, Yale says that on July 26 and 27, it mailed a notification letter as many affected individuals as staffers could locate, and set up a response center, which will assist those who have not yet been located. Additionally, Yale has arranged for victims to receive identity monitoring services.

Yale said has significantly fortified its data security measures since 2009. For instance, it ceased using Social Security numbers as routine identifiers in 2005, placed limitations on how SSN can be shared within the university, and has been testing its data center servers to identify vulnerabilities. Moreover, the university routinely deletes personal data deemed old and unnecessary. The data that was impacted in this incident was actually detected in 2011, noted Yale; however, by then the breach had already occurred.

DataBreaches.net reports that roughly 119,000 individuals were affected, although it is not evident where the site sourced that information.

"Back in 2008-2009 very few companies were aware of such a cyber threat, nor were they taking the necessary precautions. I am not surprised that more companies and educational institutions have not come forward to divulge breaches that happened in the distant past," said Mark Zurich, senior director of technology at Synopsis. "Perhaps they do not feel obligated to do so after a certain point. That being said, Yale is doing the right thing by making this breach public. This may,and should, wake up more educational institutions to the danger."

“Yale University is taking steps to help amend the potential damage of this breach by advancing the forensic investigation and contacting all affected parties as soon as possible," added Ryan Wilk, vice president at, NuData, a Mastercard company. On the flip side, although financial information was not exposed, even having your Social Security number, name, address, and date of birth stolen can still cause problems."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.