Yale affiliates’ SSNs were searchable on Google

The University announced Friday that the names and Social Security numbers of 43,000 people affiliated with Yale have been available to Google search engine users for the past 10 months.

Though Information Technology Services Director Len Peters said there is no indication that the information has been exploited, Yale has established a response center to answer questions from affected students, faculty, staff and alumni — all of whom were affiliated with the University in 1999 — and is offering them two years of free credit monitoring and identity theft insurance.

Yale did not discover the breach until June 30, Peters said. While Google representatives told the University that the file is no longer available in searches, they would not say whether any Google users had actually accessed the file.

“We immediately blocked that server from the Internet, removed the file and did a complete scan of the server to make sure there were no additional at-risk files,” Peters said.

The information was stored on a file transfer protocol (FTP) server used primarily for open source materials. Peters said the file containing the names and Social Security numbers, mostly of people who worked for the University in 1999, was the only sensitive file to be made public. The file did not include addresses, birth dates or financial information.

In September 2010, Google modified its search engine to be capable of finding and indexing FTP servers, Peters said, but ITS was not aware of this change. He added that since discovering that the file was accessible, ITS has confirmed that other search engines, such as Yahoo!, do not index FTP servers.

Peters said that both file and the directory in which it was contained had innocuous names. A user who encountered the file in a Google search would not be able to determine what information the file held unless he or she opened it, he said.

“It was pretty well-hidden, with a very inconspicuous file name,” Peters said.

Google would not release information on how many times files have been accessed from its search engine, he added.

Peters, who came to ITS from Columbia Business School at the end of last year, said he will take steps to improve information security during his first year as Yale’s Chief Information Officer. These measures will include better communication with Google, he said.

Starting in September, Yale will outsource University e-mail to Google.

Comments

  • simpsomatt

    Sounds like Yale’s IT folks still don’t get security. The issue is not whether Google, or any other search engine, indexes your FTP servers. The issue is that you’re putting confidential data on servers with apparently no security, and just hoping nobody finds it. If Google was able to index it, then any user could have read it without Google’s help. Google just made it more obvious. Placing confidential data on a server that is readable by anybody in the world is not secure, even if you use “innocuous” file names and verify that a couple of the most popular search engines don’t index it. There are thousands of little-known robots constantly crawling the web, many of them with motives far less pure than Google or Yahoo. It sounds like you haven’t even bothered to check your own FTP logs (assuming you even have them) to see whether the data was downloaded.