[BreachExchange] Yale Sued Again For Data Breach That Impacts More Than 100, 000 Former Students

Destry Winant destry at riskbasedsecurity.com
Thu Oct 18 15:20:42 EDT 2018


http://www.courant.com/news/connecticut/hc-yale-data-breach-lawsuit-20181017-story.html

A second lawsuit has been filed against Yale University over a
10-year-old data breach in which personal information of more than
100,000 students was obtained by hackers.

In June during a routine security review of its servers Yale officials
discovered that hackers gained access to electronic records containing
personal information, including social security numbers, birth dates,
email and home addresses stored on its database between April 2008 and
January 2009.

One of those students is Andrew Mason, who attended a summer program
at Yale in 2005. Mason is the named plaintiff in what will likely
become a class-action lawsuit.

Yale sent a letter to students impacted by the breach about six weeks
after the university became aware of it, offering12 months of free
identity-theft protection services to those students.

The hacker’s identity remains unknown. Yale officials have said they
don’t plan to conduct an investigation because it would not be
possible to identify a suspect 10 years after the breach.

The lawsuit alleges that Yale “improperly retained personal
information, which was subsequently transferred to unauthorized
persons during the breach, as evidenced by its statements that the
personal identification information compromised in the breach was
deleted from servers in September 2011 because it was unnecessary
personal data.”

It also alleges that Yale was made aware of serious data breach issues
in 2012 by a hacker group known as NullCrew which notified school
officials that it “obtained personal information about Yale students
and staff members by exploiting security faults in Yale’s databases.”

A similar lawsuit was filed in August by a woman named Julie Mason. It
is unclear if she is related to the other plaintiff, Andrew Mason.

Yale officials could not be reached for comment Wednesday.


More information about the BreachExchange mailing list