Yale University Discloses Decade-Old Data Breach
2.8.18 securityweek Incindent
"Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred."
Yale University revealed that hackers accessed one of its databases between 2008 and 2009 and accessed the personal information of 119,000 people.
The intrusion happened between April 2008 and January 2009 and apparently affected a single database stored on a Yale server. The data breach was discovered on June 16, 18, during a security review. The attackers extracted names, Social Security numbers, and, in almost all cases, dates of birth. In many cases, Yale email addresses were also extracted, and in some cases the physical addresses of individuals associated with the university were compromised as well.
According to Yale, no financial information was stored in the database and almost all people impacted by the breach were affiliated with the university.
“In 2011, Yale IT deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time,” the university says.
Last week, Yale sent notices of the data breach to impacted members of the Yale community, including alumni/ae, faculty members, and staff members. The university says notices were sent to nearly 97% of the individuals affected, but that it has yet to acquire a verified current address for the remaining 3%.
In a letter (PDF) to the State of New Hampshire Attorney General, Yale also revealed that the same server was hacked a second time between March 2016 and June 18. The intrusion resulted in the compromise of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire.
Yale claims that there is no indication that the compromised information has been misused. However, it decided to offer identity monitoring services at no cost, to help users guard against identity theft.
Because the intrusion occurred a decade ago, there is no information on how the attackers hacked the server. Yale also says that “it is not feasible to determine the identities of the perpetrators.”