In 2005, Andrew Mason gave his Social Security number and other personal information to Yale when registering for one of the University’s summer programs. In July of 2018, Yale notified him that his personal data had been hacked. Now, Mason has filed a class-action lawsuit against the University for “negligence,” “reckless, wanton and wilful misconduct” and “unfair trade practices.”

According to the complaint, between April 2008 and January 2009, hackers broke into a Yale’s database, which contained information on then-current and former members of the Yale community, and were able to access their names, Social Security numbers and — in some cases — dates of birth as well as email and physical addresses.

The lawsuit, which was filed Oct. 15, is the second class-action complaint filed against Yale for the data breach. The first was filed Aug. 1 by Julie Mason. It is unclear whether the two plaintiffs are related.

University spokesperson Tom Conroy told the News that the University has not yet reviewed the second lawsuit.

The University discovered the breach this June — 10 years after the fact — but notified those affected by the breach more than a month after learning about the data breach. The hacked data, which was deleted from University servers in 2011, included the personal information of more than 119,000 Yale alumni, faculty and staff members. It is still unclear who hacked the database and will likely remain so. Earlier this year, Yale spokesperson Karen Peart told the News that it would not be possible to identify the culprit 10 years after the fact.

In his suit, Andrew Mason claims that the University “improperly retained personal information, which was subsequently transferred to unauthorized persons during the breach, as evidenced by its statements that the personal identification information compromised in the breach was deleted from servers in September 2011 because it was unnecessary [to keep that] personal data.”

He further states that he must now continually monitor his accounts to safeguard against fraud and theft “and to deal with potential issues flowing from the Breach.” While Yale offered to cover one year of identity monitoring services to U.S. residents affected by the breach, Mason is requesting further compensatory and punitive damages from the University.

Lawyers representing Mason did not respond to a request for comment.

Gary Schober, a lawyer who works in cybersecurity, said that it is likely that the two cases will merge into one class-action suit. Still, he added that it is likely that a class-action case like this will be resolved through out of court settlements.

Michael Fischer, a Yale computer science professor and expert in data breaches whose information was also compromised during the 2008 breach, said that University administrators were not sufficiently aware of threats to campus security in 2009, when the incident occurred. Fischer said that this was not the only example of University carelessness when dealing with data.

Fischer told the News that in early 2010, he was made aware of the administration’s plans to move student emails off of the internal campus servers onto Google’s Gmail platform. He said the decision was made “without widespread campus input” and that at the time he “was very concerned that the security aspects of this decision seemed to have received little attention.”

“My takeaway from this experience was that the university was naive about security,” Fischer said. “[At the time,] ITS had one information security person, Morrow Long, with the title ‘University Information Security Officer,’ and there was only so much that one person could do to protect campus.”

Only in September 2011, the University instituted the position of chief information security officer and hired Rich Mikelinich for that role. Mikelinich served in that capacity until 2017.

According to Mason’s suit, the University’s “substandard security practices were the direct and proximate cause of the breach.”

The 2008 breach was not the first time that personal data Yale collected from students, staff and faculty has been infiltrated.

In 2007, computers containing over 10,000 social security numbers of then-current and former students, faculty and staff members were stolen from the Yale College Dean’s Office. In 2010, then-Connecticut Attorney General Richard Blumenthal LAW ’73 initiated an investigation when a laptop storing the health information of over 1,000 individuals at the School of Medicine was stolen.

Later in 2010, a former student notified the University that he had found his Social Security number on the first page of Google when he searched his own name. The names and social security numbers of 43,000 Yale affiliates were discovered to be publicly available on the search engine. The information was originally stored on the same servers as some of Yale’s open-source materials, and when Google began to include these servers in its searches, that personal data became discoverable.

David Opderbeck, a professor at Seton Hall Law School and expert in cybersecurity and law, told the News in August that universities are vulnerable to data breaches because of the large amounts of sensitive records they store. They also tend to have multiple points of access to information stored in University databases, he added.

In 2012, the hacker group NullCrew also alleged that it obtained personal data of Yale students and staff members in an attempt to illustrate the bugs in Yale’s database security.

Jever Mariwala | jever.mariwala@yale.edu

Skakel McCooey | skakel.mccooey@yale.edu .