On June 30, staff at the University’s Information Technology Services office got an unwelcome surprise when they found that the names and Social Security numbers of 43,000 Yale affiliates showed up in Google searches for the past 10 months.
The breach occurred when Google altered its search in September 2010 to find and index special file transfer protocol (FTP) servers, such as the one that stored the Yalies’ private information. ITS has taken steps to protect the information compromised in the breach, which Yale publicly announced Aug. 12, and set about notifying the affected students, faculty, staff and alumni — all of whom were linked to the University in 1999 — via postal mail.
Though ITS Director Len Peters said there is no indication that the information has been exploited, Yale has established a response center for affected individuals and is offering them two years of free credit monitoring and identity theft insurance.
“I wasn’t thrilled about it but I’m not terribly concerned,” said Heather Jones ’99, whose Social Security number was one of those included in the file. “Honestly, I’m going to take my chances and not do anything about it.”
While Google representatives told the University that the file is no longer available in searches, they would not say whether any Google users had actually accessed the file.
“We immediately blocked that server from the Internet, removed the file, and did a complete scan of the server to make sure there were no additional at-risk files,” Peters said.
The information was stored on an FTP server used primarily for open source materials. Peters said the file containing the names and Social Security numbers, mostly of people who worked for the University in 1999, was the only sensitive file to be made public. The file did not include addresses, birth dates or financial information.
Since Google modified its search to include FTP servers, hackers have developed a process for finding and exploiting weaknesses via the search called “Google dorking.”