Around 20 years ago, Julie Mason submitted her social security number, among other personal information, to Yale as part of an application for a visiting student program. Now, Mason — who never received a degree from Yale — is suing the University after it was revealed that she, along with more than 100,000 others, was affected by a data breach that took place almost a decade ago.
Between 2008 and 2009, hackers breached a University database and extracted names, social security numbers and — in some cases — dates of birth, email addresses and physical addresses. The data, which included the personal information of about 119,000 people, was deleted from University servers in September 2011, when administrators were still unaware that the hacking had taken place.
It was not until June 2018 that the University became aware of the breach, during a security review of its servers. In July, Yale emailed the affected individuals to inform them of the breach. Just a few days later, Mason and more than 100 others — whose collective damages due to the breach exceed $5,000,000 — launched a class-action lawsuit against the University, according to court documents. The suit alleges that Yale failed to comply with existing privacy regulations.
“As a result of the data breach, Ms. Mason has suffered substantial harm,” the complaint reads. “As a direct and proximate result of Yale’s deceptive and unlawful acts and practices, Plaintiff and New York Subclass members have suffered and will continue to suffer injury, ascertainable loss of money or property, and monetary and non-monetary damages.”
Mason’s lawyer declined to comment. It’s unclear from the complaint whether she attended the program at Yale, and a representative from the law firm representing her declined to confirm whether she did. A University spokeswoman said Yale would not comment on pending litigation.
In the complaint, Mason states that the University deceptively assured her that her information would be protected. In addition to damages, Mason and the other plaintiffs are demanding that Yale maintain appropriate data protection practices and disclose in a timely and accurate manner whether a breach has occurred.
In 2014, the complaint states, $60,000 was taken from one of Mason’s bank accounts — as a result of stolen data from the breach of Yale’s servers, she claims. Using her personal information, the perpetrators of the theft were also able to change the password to Mason’s online banking account over the telephone. And Mason’s credit card accounts were also compromised, forcing her to pay to mail credit freeze requests to all three major credit reporting agencies.
In the July emails explaining the breach, the University stated that “members of the Yale community” had been impacted. However, Mason is not a Yale alumna, nor has she ever served as a faculty or staff member.
Michael Fischer, a Yale professor and expert in data breaches whose information was also hacked, said University administrators were not sufficiently aware of threats to campus security in 2009, when the incident occurred. The University did not create the chief information security officer position until 2011, months after 43,000 social security numbers belonging to Yale community members were found to be discoverable on Google in another incident.
David Opderbeck, an expert in cybersecurity and technology law at Seton Hall Law School, said higher-education institutions are especially vulnerable to data breaches because of the massive number of sensitive records they store, as well as the many points of access to that information in University databases. Higher education institutions have lagged behind corporations in terms of data privacy precautions, he added.
Gary Schober, a lawyer who works in cybersecurity, said that while cases like the one against Yale are usually resolved through settlements, the plaintiffs will first have to prove that the damages occurred specifically as a result of the breach.
“The clear lesson here is not hold information you don’t really need,” Schober said. “There was absolutely no reason for Yale to have information on somebody who might have applied to the school a long time before the breach or collected in some other context when Yale really didn’t need the information anymore.”
Yale is offering a year of identity monitoring services to U.S. residents affected by the data breach.
Hailey Fuchs | hailey.fuchs@yale.edu