Yale University has discovered that it was the victim of a cybersecurity breach that saw key personal data stolen a decade ago. The Yale cybersecurity breach included social security numbers and dates of birth, some of which are thought to be of students.
Despite the breach happening in 2008 and 2009, the ivy league university only discovered it in June of this year when it was testing its security.
The people whose data was stolen have now been informed by the university. As students appear to have been among those impacted, it is possible that some will now be in senior positions, making the data potentially extremely valuable.
“Yale University is taking steps to help amend the potential damage of this breach by advancing the forensic investigation and contacting all affected parties as soon as possible,” said Ryan Wilk, vice president at NuData Security, a Mastercard company.
“On the flip side, although financial information was not exposed, even having your social security number, name, address, and date of birth stolen can still cause problems.
“Cybercriminals can use this information to create a complete profile of students. Add a bit of social engineering, and they can start cracking all types of accounts and even open up new accounts in the students’ names.”
Yale cybersecurity breach predated current security efforts
While Yale now has a strict system for handling personal data securely, this did not exist in its current form in 2008.
The university upgraded its system in 2011, but prior to that social security numbers were used as standard ways to look up personal data on the system, meaning it was available on the network in an unencrypted form.
For businesses, the breach serves as a reminder about the importance of data protection within networks.
“Protecting data from breaches is becoming increasingly challenging, but innovations in technology and following best practices can help organisations detect and mitigate the damage after a data breach,” said Wilk.
“Organisations can do this by implementing intelligent ways to authenticate their users so that the stolen personally identifiable information is not enough to access an account.”