The prominent US university revealed this week the existence of a “data intrusion” which took place between 2008 and 2009.
On July 26 and 27, the academic institution notified members (.PDF) of Yale, alumni, faculty members, and staff that Yale believes were impacted by the breach.
According to the university, 119,000 individuals were affected.
A threat actor managed to access a database managed by Yale and exfiltrate names, Social Security numbers, and — in the majority of cases — dates of birth. Some victims also had their Yale email addresses and physical addresses stolen.
However, no financial information was involved in the security breach.
Yale University was unaware of the intrusion at the time. In 2011, personal information was deleted from the database as part of an updated data protection mandate, but the intrusion was still not detected.
It was not until June 16 this year that a routine check of servers and systems uncovered evidence of a data breach.
In addition, at some point between March 2016 and June 2018, the database was once again accessed by an unknown threat actor which was able to steal the names and Social Security numbers of 33 individuals.
Yale says there has been no indication that the stolen data was ever misused or found itself in the underbelly of the Web for sale, as often is the case in large database breaches.
“Back in 2008-2009 very few companies were aware of such a cyber threat, nor were they taking the necessary precautions,” says Mark Zurich, Senior Director of Technology at Synopsys. “I am not surprised that more companies and educational institutions have not come forward to divulge breaches that happened in the distant past. Perhaps they do not feel obligated to do so after a certain point.”
“That being said, Yale is doing the right thing by making this breach public,” Zurich added. “This may (and should) wake up more educational institutions to the danger.”
In May, the University of Greenwich was fined £120,000 by the UK Information Commissioner over a data breach which impacted 20,000 people.
Information including names, addresses, and telephone numbers belonging to 19,500 people, including sensitive data on conditions such as learning difficulties and illness, was stolen and leaked online.