Yale Graduates Learn That Their Social Security Numbers Were Leaked 10 Years Ago
In the event of physical theft, you will most likely notice that your TV is missing. When it comes to the World Wide Web, however, things are a bit different. We've talked in the past about how data breaches often go undetected for months or even years, and unfortunately, Yale University recently came up with an announcement that proves the point rather well.
The data breach itself isn't terribly unusual. The intruders broke into the university's systems and made off with a database that contained the names, social security numbers, and, in most cases, the dates of birth of around 119 thousand alumni, faculty members and staff. Yale University said that some email addresses were also stolen and pointed out that no financial information has been compromised.
The university learned of the breach in June during a security review of one of their servers, but it wasn't until the end of July when notifications were sent to the affected individuals. Right now, there's a special page through which victims can get in touch with Yale University representatives who will offer a one-year subscription to a credit monitoring service paid for by the university. Pretty much nothing is out of the ordinary, until, that is, you find out when the data breach occurred.
The notification says that the perpetrators gained access to the compromised database between April 2008 and January 2009. That, in case you haven't checked out the calendar, was ten years ago. Details on how it all played out are nonexistent, but it's clear that throughout the last decade, the university's security checks failed to notice that something was wrong, and even when the database was cleared in 2011, Yale's IT team remained oblivious to the fact that it had been accessed before.
When a data breach happens, the first question on nearly everyone's mind is "Who did it?" Under normal circumstances, attribution is difficult. Unless they're complete amateurs, the hackers will know what they can do to cover their tracks. When the incident happened ten years ago, however, any hope of pinpointing the perpetrator is lost.
The announcement does state that there's no evidence of the data being misused, but the mere fact that it's been floating around for all these years is concerning. Furthermore, now that the incident was made public, the bad guys might decide that the time to abuse the stolen information has come. Needless to say, the victims should keep their eyes peeled, and they might want to take Yale University on its credit monitoring offer. For the rest of us, the incident can serve as a reminder of just how dangerous data breaches could be.