On June 30, staff at the University’s Information Technology Services office got an unwelcome surprise when they found that the names and Social Security numbers of 43,000 Yale affiliates showed up in Google searches for the past 10 months.
The breach occurred when Google altered its search in September 2010 to find and index special file transfer protocol (FTP) servers, such as the one that stored the Yalies’ private information. ITS has taken steps to protect the information compromised in the breach, which Yale publicly announced Aug. 12, and set about notifying the affected students, faculty, staff and alumni — all of whom were linked to the University in 1999 — via postal mail.
Though ITS Director Len Peters said there is no indication that the information has been exploited, Yale has established a response center for affected individuals and is offering them two years of free credit monitoring and identity theft insurance.
“I wasn’t thrilled about it but I’m not terribly concerned,” said Heather Jones ’99, whose Social Security number was one of those included in the file. “Honestly, I’m going to take my chances and not do anything about it.”
While Google representatives told the University that the file is no longer available in searches, they would not say whether any Google users had actually accessed the file.
“We immediately blocked that server from the Internet, removed the file, and did a complete scan of the server to make sure there were no additional at-risk files,” Peters said.
The information was stored on an FTP server used primarily for open source materials. Peters said the file containing the names and Social Security numbers, mostly of people who worked for the University in 1999, was the only sensitive file to be made public. The file did not include addresses, birth dates or financial information.
Since Google modified its search to include FTP servers, hackers have developed a process for finding and exploiting weaknesses via the search called “Google dorking.”
Peters said ITS was not aware that Google instituted the advanced FTP search last September. He added that since discovering that the file was accessible, ITS has confirmed that other search engines, such as Yahoo!, do not index FTP servers.
Peters said that both file and the directory in which it was contained had innocuous names. A user who encountered the file in a Google search would not be able to determine what information the file held unless he or she opened it, he said.
“It was pretty well hidden, with a very inconspicuous file name,” Peters said.
Google would not release information on how many times files have been accessed from its search engine, he added.
Peters, who came to ITS from Columbia Business School at the end of last year, said he will take steps to improve information security during his first year as Yale’s Chief Information Officer. These measures will include better communication with Google, he said.
Starting in September, Yale will outsource University email to Google.