Light & Verity

Alumni data exposed in online breach

By Lauren Rosenthal | Nov/Dec 2011

This past June, a Yale alumnus ran an ordinary Google search of his own name and found more than he bargained for: his Social Security number, publicly available online. By then, his name and number—and those of 43,000 other students, faculty, and staff who had been affiliated with Yale in 1999—had been accessible in Google searches for nine months, according to the Yale Daily News.

The alumnus contacted Yale, and his discovery left Yale’s Information Technology Services (ITS) scrambling to understand the nature of the problem and the extent of the risk. They notified the affected Yalies of the leak by letter in early August, offering them two years of free credit monitoring through Debix, a Texas identity security firm. If a hacker tries to open a new credit card in a Yalie’s name, the firm will step in and “restore the identity” at no cost to the victim, says Russell Sharp, senior director of management services at ITS.

The leak didn’t come as a surprise to Tyler Johnson ’00, an attorney living in Alexandria, Virginia. He declined the year of free credit monitoring from Debix, relying instead on his bank and his own vigilance to protect against fraud. “I keep a wary eye on my information from time to time,” he says. An alumna who asked not to be named said she was “surprised and disappointed” by the problem but “glad they were making people aware of it and offering a service in return.”

How did the breach happen? The file the Googling alum stumbled across, located on a Yale file transfer protocol (FTP) server, was not intended to be public. But in September 2010—without notifying users—Google upgraded its search to comb FTP servers. Purdue University and the University of Wisconsin–Milwaukee have experienced similar breaches over the past year that accidentally exposed staff and students’ personal information.

Yale’s tech team has since turned a critical eye to its security measures. ITS is now scanning servers to remove files that contain Social Security numbers and other sensitive personal information, Sharp says. “We are also reviewing policies and procedures and conducting additional training regarding the management of servers that are exposed to the Internet.”

Filed under
Money & Business
Alumni

Print |

Email | Facebook | Twitter

The comment period has expired.

Welcome to the Yale Alumni Magazine website! Log in or sign up to view and post Alumni Notes online.

Originally Seen In

Nov/Dec 2011

Vol LXXV, No 2

Browse issue archives

Departments

Topics

Terms & Conditions
Privacy Policy
About Us
Contact
Yale Alumni Magazine
P.O. Box 1905
New Haven, CT 06509-1905
fax: (203) 432-0651
yam@yale.edu

Copyright 1937-2015 Yale Alumni Publications, Inc. All rights reserved. The Yale Alumni Magazine and its website were until July 2015 published by Yale Alumni Publications, Inc., an alumni-based nonprofit not run by Yale University. Content published before July 2015 is the responsibility of its editors and third-party users of the website and does not necessarily reflect the views of Yale or its officers.