[BreachExchange] Yale University discloses old school data breach

Wed Aug 1 22:23:26 EDT 2018

https://www.zdnet.com/article/yale-discloses-old-school-data-breach/

Yale University has disclosed a security breach which occurred a decade ago.

The prominent US university revealed this week the existence of a
"data intrusion" which took place between 2008 and 2009.

On July 26 and 27, the academic institution notified members(.PDF) of
Yale, alumni, faculty members, and staff that Yale believes were
impacted by the breach.

According to the university, 119,000 individuals were affected.

A threat actor managed to access a database managed by Yale and
exfiltrate names, Social Security numbers, and -- in the majority of
cases -- dates of birth. Some victims also had their Yale email
addresses and physical addresses stolen.

However, no financial information was involved in the security breach.

Yale University was unaware of the intrusion at the time. In 2011,
personal information was deleted from the database as part of an
updated data protection mandate, but the intrusion was still not
detected.

It was not until June 16 this year that a routine check of servers and
systems uncovered evidence of a data breach.

In addition, at some point between March 2016 and June 2018, the
database was once again accessed by an unknown threat actor which was
able to steal the names and Social Security numbers of 33 individuals.

Yale says there has been no indication that the stolen data was ever
misused or found itself in the underbelly of the Web for sale, as
often is the case in large database breaches.

"Back in 2008-2009 very few companies were aware of such a cyber
threat, nor were they taking the necessary precautions," says Mark
Zurich, Senior Director of Technology at Synopsys. "I am not surprised
that more companies and educational institutions have not come forward
to divulge breaches that happened in the distant past. Perhaps they do
not feel obligated to do so after a certain point."

"That being said, Yale is doing the right thing by making this breach
public," Zurich added. "This may (and should) wake up more educational
institutions to the danger."

In May, the University of Greenwich was fined £120,000 by the UK
Information Commissioner over a data breach which impacted 20,000
people.

Information including names, addresses, and telephone numbers
belonging to 19,500 people, including sensitive data on conditions
such as learning difficulties and illness, was stolen and leaked
online.