Yale University has disclosed that a data breach between 2008-09 may have compromised the personal information, Social Security numbers and other details of members of its community. Alumni, faculty members and staff members were impacted by the intrusion that took place between April 2008 and January 2009 when hackers managed to access a database stored on a Yale server.
The university's IT team deleted the details stored on the database in 2011 "as part of an effort to eliminate personal information on Yale servers". However, the breach was not detected at the time.
Yale said it discovered the intrusion during a routine security review of its servers when a log was found that revealed the breach. The school did not specify how many individuals were impacted in the breach or provide further details on how the incident occurred. It also added that experts believe it is "not feasible" to determine the identities of the perpetrators.
Compromised data included names, Social Security numbers and, in nearly all cases, dates of birth. Yale email addresses were also exposed in many cases as well as physical addresses in some cases. Nearly all of the people affected were affiliated with the university. However, no information was exposed in the breach.
The school added that if a person was not affiliated with Yale until after January of 2009, there is no reason to believe that their information was compromised in the incident.
"Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred," Yale University said in a statement. "We understand the concern and inconvenience that events of this kind cause to people who are affected by them. Yale is offering identity monitoring services to all affected U.S. residents through Kroll."
The university said it has taken steps to prevent similar intrusions.
"First, Yale stopped using Social Security numbers as routine identifiers in 2005, and we regularly seek to identify and delete unnecessary files with personal information," the institution said. "Second, Yale has placed strict limitations on the sharing of Social Security numbers within the University. Third, Yale is systematically testing its data center servers to identify possible vulnerabilities. It was that testing program that led us to discover the intrusion into your information."
In a letter sent to individuals impacted by the incident, Senior Vice President for Operations Jack F. Callahan, Jr. said: "Yale takes seriously the protection of personal information, and we continue to improve our electronic security and
eliminate the unnecessary storage of such information," senior We very much regret this incident and the inconvenience to you."
This isn't the first time Yale University has suffered a security incident.
In 2011, about 43,000 faculty, staff, students and alumni affiliated with Yale in 1999 had their names and Social Security numbers stored on a searchable FTP server was publicly exposed via Google search for about 10 months.