Yale oversight exposes 43,000 Social Security numbers

Purdue University also reports exposure of more than 7,000 Social Security numbers after unknown person accesses server.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Names and Social Security numbers of 43,000 Yale University students, faculty, staff, and alumni were accessible via the Google search engine for about 10 months, according to the school newspaper.

The problem was discovered June 30 and university officials disclosed it on August 12, offering affected individuals two years of free credit monitoring and identity theft insurance even though they said there was no indication that the information had been exploited, the Yale Daily News reported last week.

The data, mostly belonging to people who worked for the university in 1999, was stored on a file transfer protocol (FTP) server that had been hidden from Web search engines until September 2010 when Google's search engine started indexing FTP servers, said Len Peters, Information Technology services director for Yale. The school's IT department was unaware of that change, he said.

The file and its directory had innocent sounding names, and someone encountering the file via Google would not be able to figure out what was in it without first opening it up, according to Peters.

"It was pretty well-hidden, with a very inconspicuous file name," said Peters, who was hired late last year.

Google representatives would not reveal whether anyone had accessed the data from its search engine, he said.

Meanwhile, an intruder accessed a server containing Social Security numbers and other personal information of more than 7,000 former Purdue University students, the school warned last week. The breach occurred April 5, 2010, and affected students who took math courses from 2000 through the summer session of 2005, according to the statement.

"Through our investigation, we found no evidence that the unauthorized user attempted to find or read any files with personal information in our system, but felt informing people who may have been affected was a necessary precaution," said Laszlo Lempert, head of the Department of Mathematics. "We regret the breach occurred, and we've taken extensive measures to prevent this from happening again."

(via Computerworld and Security news Daily.)