The University announced Friday that the names and Social Security numbers of 43,000 people affiliated with Yale have been available to Google search engine users for the past 10 months.
Though Information Technology Services Director Len Peters said there is no indication that the information has been exploited, Yale has established a response center to answer questions from affected students, faculty, staff and alumni — all of whom were affiliated with the University in 1999 — and is offering them two years of free credit monitoring and identity theft insurance.
Yale did not discover the breach until June 30, Peters said. While Google representatives told the University that the file is no longer available in searches, they would not say whether any Google users had actually accessed the file.
“We immediately blocked that server from the Internet, removed the file and did a complete scan of the server to make sure there were no additional at-risk files,” Peters said.
The information was stored on a file transfer protocol (FTP) server used primarily for open source materials. Peters said the file containing the names and Social Security numbers, mostly of people who worked for the University in 1999, was the only sensitive file to be made public. The file did not include addresses, birth dates or financial information.
In September 2010, Google modified its search engine to be capable of finding and indexing FTP servers, Peters said, but ITS was not aware of this change. He added that since discovering that the file was accessible, ITS has confirmed that other search engines, such as Yahoo!, do not index FTP servers.
Peters said that both file and the directory in which it was contained had innocuous names. A user who encountered the file in a Google search would not be able to determine what information the file held unless he or she opened it, he said.
“It was pretty well-hidden, with a very inconspicuous file name,” Peters said.
Google would not release information on how many times files have been accessed from its search engine, he added.
Peters, who came to ITS from Columbia Business School at the end of last year, said he will take steps to improve information security during his first year as Yale’s Chief Information Officer. These measures will include better communication with Google, he said.
Starting in September, Yale will outsource University e-mail to Google.