Light & Verity

Alumni data exposed in online breach

This past June, a Yale alumnus ran an ordinary Google search of his own name and found more than he bargained for: his Social Security number, publicly available online. By then, his name and number—and those of 43,000 other students, faculty, and staff who had been affiliated with Yale in 1999—had been accessible in Google searches for nine months, according to the Yale Daily News.

The alumnus contacted Yale, and his discovery left Yale’s Information Technology Services (ITS) scrambling to understand the nature of the problem and the extent of the risk. They notified the affected Yalies of the leak by letter in early August, offering them two years of free credit monitoring through Debix, a Texas identity security firm. If a hacker tries to open a new credit card in a Yalie’s name, the firm will step in and “restore the identity” at no cost to the victim, says Russell Sharp, senior director of management services at ITS.

The leak didn’t come as a surprise to Tyler Johnson ’00, an attorney living in Alexandria, Virginia. He declined the year of free credit monitoring from Debix, relying instead on his bank and his own vigilance to protect against fraud. “I keep a wary eye on my information from time to time,” he says. An alumna who asked not to be named said she was “surprised and disappointed” by the problem but “glad they were making people aware of it and offering a service in return.”

How did the breach happen? The file the Googling alum stumbled across, located on a Yale file transfer protocol (FTP) server, was not intended to be public. But in September 2010—without notifying users—Google upgraded its search to comb FTP servers. Purdue University and the University of Wisconsin–Milwaukee have experienced similar breaches over the past year that accidentally exposed staff and students’ personal information.

Yale’s tech team has since turned a critical eye to its security measures. ITS is now scanning servers to remove files that contain Social Security numbers and other sensitive personal information, Sharp says. “We are also reviewing policies and procedures and conducting additional training regarding the management of servers that are exposed to the Internet.”  


The comment period has expired.