Three months after Yale discovered that the Social Security numbers of 43,000 Yale community members had been accessible in Google searches for almost a year, Information Technology Services officials say there is still no indication the information has been exploited — and just 10 percent of affected individuals have signed up for free credit monitoring and insurance offered by the University in the wake of the breach.
“We can’t find any evidence that anyone misused any of the information,” said University Chief Information Officer Len Peters, adding that Google will not reveal if anyone has accessed the information.
The names and Social Security numbers of all people who had Yale Net IDs in 1999 were stored in a file on one of Yale’s file transfer protocol servers — servers used to hold open-source materials. That file became available in Google searches in September 2010, when Google extended its search capabilities to include FTP servers.
Google removed the file as soon as Yale contacted the company about its affiliates’ data in June, Peters said, and the file is no longer available by search.
Yale discovered the file was accessible when an alum who attended Yale in 1999 found his Social Security number in a Google search of his own name. Because his name was very uncommon, Peters said, the file containing his information was displayed on the first page of search results.
“It wasn’t a document that would have [otherwise] been ordered in Google’s rank search very highly,” Peters said.
The man’s wife, who is a Yale employee, immediately notified the University. Yale has since established a response center for affected individuals who have questions about the situation. The University is offering those people two years of free credit monitoring and identity theft insurance, said University Press Secretary Tom Conroy. Debix, a data security firm, will monitor credit files at three major United States credit bureaus for the next 24 months and plans to alert individuals by phone if new credit accounts are opened using their Social Security numbers.
ITS notified affected individuals of the breach and offered monitoring and insurance in an August letter. Though Peters said one tenth of the individuals notified decided to take advantage of the free services, he expects the figure to increase as time wears on.
“Lots of people are taking advantage of this service, which we’re highly recommending to everyone who received the letter,” Peters said.
He would not disclose how much the credit monitoring costs Yale. The University has also contacted vendors to conduct a complete security assessment of all information systems and processes, Peters said, adding that he expects Yale to select one by next month.
Peters said Google is not claiming responsibility for the incident, and will not contribute to the cost of the security and monitoring services Yale sought in its wake. Peters said the incident has not affected Yale’s relationship with Google, adding that he does not blame the company for the breach, since it occurred in the midst of a Google upgrade.
“Google was just doing what they do,” Peters said, “which was incrementally improving their service.”
The University contracted with Google to purchase the company’s Google Apps for Education suite in April after a lengthy debate over the company’s ability to protect Yale’s data.