Yale University Data Breach Discovered A Decade After It Happened

Yale University discovered on June 16^th that its systems were breached sometime between April 2008 and January 2009, according to a letter sent by the prestigious school to potentially-impacted alumni, members of the faculty, and support staff.

Whoever compromised Yale’s security stole data including names, Social Security Numbers, and dates of birth.  In many cases, the thief (or thieves) also obtained corresponding Yale e-mail addresses, and, in some cases, even people’s physical home addresses.

The breach was detected last month while Yale’s information-technology team was performing various vulnerability tests on its servers, and, in the process, discovered records in a log file that showed that intruders had gained access to a Yale database a decade ago. Ironically, perhaps, due to information-security concerns, Yale itself no longer has the information that was stolen – the university stopped using Social Security Numbers as routine identifiers back in 2005, and, in 2011, as part of an effort to remove unneeded personal information from Yale equipment, it deleted from its databases the data now known to have been previously stolen. Prior to June 16th of this year, however, Yale was unaware that a nefarious party had pilfered the data before it was wiped.

Yale is offering identity protection services to those whose data leaked; realistically speaking, however, if the party who stole the data planned to use it for nefarious purposes, he or she likely began doing so a long time ago. (Criminals sometimes wait to exploit stolen personal information until a couple years after a breach is detected – that is, until the free subscriptions to identity protection services so often provided by victim organizations expire – but, it is unlikely that a crook would be willing to wait for a decade before commencing use.)

Personally, I suspect that the culprit will never be caught unless he or she independently comes forward: finding the perpetrators of a cyber-breach is often quite difficult even when the breach is detected in real time; identifying who stole data a decade ago is likely to be nothing short of impossible, as many relevant log files and other sources of needed clues have long since been deleted.

One important lesson that we can learn from the Yale announcement is that breaches are often not quickly discovered. In fact, while the media may frequently run stories of high-profile cyberattacks, the reality is that, just as the Yale breach was for a decade,

Most data breaches are never detected.

Unlike money, which can easily be noticed as missing when it is stolen from someone’s bank account, or credit card fraud that can become obvious to victims when they receive their statements, data that is stolen is simply copied – there is often zero impact to the original content. As a result, more often than not, a data breach victim has no knowledge that his or her data has been compromised.

As such, it is important not to reuse passwords to sensitive sites (it is safe to reuse passwords when the passwords do not really matter – please see the article, Why You Should Ignore Everything That You Have Been Told About Passwords, for more information), and to provide as little personal information as possible when conducting business. Businesses should also follow Yale’s example, and stop storing sensitive information that they do not need.

Of course, improving one’s cybersecurity hygiene can also help prevent breaches in the first place (please see the article 13 Tips to Achieve Great CyberSecurity Without Spending a Fortune for some tips). As Ryan Wilk, Vice President of Mastercard’s NuData Security, put it: “Protecting data from breaches is becoming increasingly challenging, but innovations in technology and following best practices can help organizations detect and mitigate the damage after a data breach.”