Until Tuesday, Yale’s detailed security plans and procedures were accessible to over 40,000 people.
The University’s Emergency Operations Team, which plans for natural disasters and other major incidents, has developed an extensive plan and operations protocol for every potential disaster that could strike the campus, meticulously assessing the risks of explosive devices, shooting rampages and attacks on visiting VIPs. Until Tuesday, documents marked “confidential” that contained evacuation plans and instructions for operating the emergency notification system were accessible to anyone in the Yale NetID system.
University Information Security Officer Morrow Long said the NetID network comprises over 40,000 individuals, and is subject to regular security breaches.
The News told Deputy Secretary for the University Martha Highsmith, who oversees Emergency Operations, about the extent of the information available online Monday afternoon. Although she was aware that some documents were on the web, she said she and her team would reassess what information to keep open to the Yale community at large. As of Tuesday, the link to the documents had been removed from the Emergency Management website, and an undergraduate NetID can no longer access the database.
“We are reviewing what emergency planning information to post and in what form, and will be following up,” she said. “In the meantime, the information is no longer broadly available.”
University President Richard Levin said Tuesday night that he had no idea that such information had been online, but declined to comment further. Maria Bouffard, director of Emergency Management, deferred all questions to Highsmith.
The server contained approximately 57 documents before it was taken down Tuesday. They included a 35-page Emergency Operations Plan as well as files concerning risk assessment and evacuations specifics, even detailing how the University would set up a field hospital during a mass illness and how to construct a monument after a large-scale campus tragedy. Highsmith said she was most concerned about the listing of 24-hour contact information for important University officials and operations instructions for Yale’s notifications system.
Within the file about the notifications system, a reader can find the log-in and password information for Yale’s Twitter and Facebook accounts as well as descriptions for how to operate the Blue Phone speaker system and the flat panel message boards.
The link to the server of EOT documents could be found through the Yale Emergency Management website. Members of the Yale community only needed to type in their NetIDs and passwords to gain access to the server.
The NetID system includes undergraduates, graduate and professional students, many faulty and staff, and some alumni; it is also the frequent victim of “phishing” attacks. This means that multiple accounts — never fewer than two or three — are compromised by external sources every week, Long said. Highsmith said the potential compromise of a NetID for purposes other then spamming is a kind of risk assessment that the University might want to look into further.
When contacted by the News, Highsmith said she already knew about the online information, and that the EOT had decided that students and other members of the community should have access to it.
She said the EOT aims to be as open as possible, short of alarming people unnecessarily. She likened the issue to snow alerts, saying that the University tries to give people as much information as possible about inclement weather and its effects, but does not unduly worry the community.
“Our goal, always, is the protection of the Yale community,” Highsmith said. “We have an extensive emergency planning and operations network and want Yale faculty, students and staff to be assured that appropriate plans in place. We try to balance sharing specific information with the need for confidentiality, especially regarding sensitive information that may be distributed outside the University.”
Two outside security analysts said that at least some of the information available online should never have been visible to the public. Dolores Stafford, the president and CEO of D. Stafford and Associates, a consulting firm specializing in campus safety and security, said that contact information for top University officials and instructions for operating the emergency communications system were most likely not intended to be online.
“I will assume that the administration will [now] probably be reviewing what should be accessible to whom and how it is stored and made accessible to those who need the information,” she said.
In addition to security documents, the server also included over 100 photos from an EOT training exercise.