Yale notified about 119,000 alumni, faculty and staff earlier this week that, between 2008 and 2009, hackers breached a University database and extracted their names and social security numbers.
The breach, which in some cases also compromised dates of birth, email addresses and physical addresses, remained undetected for more than a decade. It was not until June that the University discovered the intrusion while conducting a security review of its servers, according to University spokesman Karen Peart.
“In the 10 years since this intrusion was perpetrated, Yale has continually improved its electronic security,” Peart said in a statement to the News. She added that the security review that uncovered the intrusion was the one of those improvements.
According to Peart, the University deleted the personal information compromised in the breach in September 2011 to clear out unnecessary personal data, though, at the time, administrators were still unaware of the hacking.
The identity of the perpetrator or perpetrators remains unknown. Asked whether Yale would conduct an investigation, Peart said it would not be possible to identify the culprit 10 years after the fact.
Indeed, according to Michael Fischer, a Yale computer science professor who specializes in security and cryptography, said attribution is difficult. Fischer said he too received a letter, notifying him that his information had been compromised in the breach, adding that the University’s disclosure has left many questions unanswered.
“It’s very vague about what database was penetrated,” he said. “What happened in January 2009 — did it stop then? Did Yale update their software and that stopped the breach, or am I to read this as sometime during that nine-month period intruders gained access?”
The University notified alumni, faculty, and staff affected by the breach on July 26 and 27, more than a month after it became aware of the intrusion.
“I am writing, with regret, to inform you that, between April 2008 and January 2009, intruders gained electronic access to a Yale database and extracted names and Social Security numbers, including yours,” wrote Senior Vice President for Operations Jack Callahan in a letter to those affected.
This is not the first time the University has lost its grip on the data of students, faculty, and staff. Several times, stolen University computers have compromised the personal information of thousands. In 2010, then-Connecticut Attorney General Richard Blumenthal launched an investigation after the theft of a laptop at the School of Medicine that held health information on upwards of 1,000 individuals.
That same year, the names and social security numbers of 43,000 Yale affiliates were discovered to be publicly available on Google. The information was stored on one of the University’s file transfer protocol servers, used to hold open-source materials. When Google expanded its searches to include FTP servers, that information became publicly searchable. The University was not made aware of the problem until a former student found his social security number on the first page of search results for his own name.
Following the incident, the University found no evidence that information had been exploited and offered credit monitoring services and insurance to those affected.
And again in 2012, data was breached when the hacker group NullCrew claimed it obtained personal information from Yale students and staff members in an effort to prove security faults in the University’s databases.
And Yale’s own computer science department is not immune to data intrusion. On April 2, 2012, the department became aware of an account compromise on a machine, likely due to a weak password, Fischer said. The account belonged to someone no longer in the department, he added.
But the most recent breach of data far exceeds the 2010 or 2012 intrusions. In response to the June discovery, Yale is offering to cover 12 months of identity monitoring services to U.S. residents, and recommends that those affected watch for signs of misuse of their personal information.