Yale University data breach compromised social security numbers
31 July 2018
It took Yale University ten years to discover a security breach it suffered between April 2008 and January 2009 that resulted in the compromise of names, social security numbers, dates of birth, e-mail addresses and physical addresses of staff and students.
Breach discovered during vulnerability testing
Yale University discovered the breach when it was testing its servers for vulnerabilities in June this year. Even though personal information stored in the affected database was deleted in 2011 by the University, it did not realise at the time that the database had been accessed by hackers previously.
The University no longer uses social security numbers as identifiers and, in fact, introduced new security measures years ago, including carrying out vulnerability-testing of servers and limiting the sharing of sensitive information within systems. However, it is now offering identity monitoring services to those who were affected by the data breach.
“Although financial information was not exposed, even having your social security number, name, address, and date of birth stolen can still cause problems. Cybercriminals can use this information to create a complete profile of students. Add a bit of social engineering, and they can start cracking all types of accounts and even open up new accounts in the students’ names,” warns Ryan Wilk, vice president at NuData Security.
“Protecting data from breaches is becoming increasingly challenging, but innovations in technology and following best practices can help organizations detect and mitigate the damage after a data breach. Organisations can do this by implementing intelligent ways to authenticate their users so that the stolen personally identifiable information is not enough to access an account.
“Organisations need security multi-layered intelligence that can evaluate not just the data but also the user behaviour through passive biometrics and behavioural analytics. Behavioural-based authentication methods are proving to be extremely efficient in tackling this threat and keeping users’ accounts safe. Multi-layered solutions that evaluate the user’s behaviour give a true insight into who is behind the device – and provide high accuracy on whether it is the consumer or a cybercriminal using consumers’ correct credentials,” he added.
Universities need IT teams to secure personal data
Mark Zurich, Senior Director of Technology at Synopsys, said that ten years ago, very few companies were aware of such a cyber threat, nor were they taking the necessary precautions to protect their databases. That being said, Yale is doing the right thing by making this breach public. This may (and should) wake up more educational institutions to the danger.
“It is interesting that Yale noticed the breach once they started to take actions to protect their network and their data, which plays into the meta point here. This is also a problem that goes beyond educational institutions. They should have an IT department in this day and age just like any company would; depending on the size of the institution, they may even require a CISO. The IT resources within all educational institutions need to be trained, prepared, and equipped to protect the infrastructure and critical assets of that organization,” he adds.
The fact that Universities need IT resources to store and secure personal information of staff and students in secure locations can not be understated considering that several universities in the UK and abroad have suffered major breaches in the recent past that compromised sensitive details of employees.
For example, the ICO recently imposed a fine of £120,000 on the University of Greenwich for failing to prevent the breach of personal data of nearly 20,000 students, staff and alumni. According to the ICO, the University failed to secure a microsite that contained personal details of 19,500 students, staff, and alumni such as “information on extenuating circumstances, details of learning difficulties and staff sickness records”. The microsite was breached by hackers in 2014.