Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Yale University Discloses Decade-Old Data Breach

“Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred.”

“Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred.”

Yale University revealed that hackers accessed one of its databases between 2008 and 2009 and accessed the personal information of 119,000 people. 

The intrusion happened between April 2008 and January 2009 and apparently affected a single database stored on a Yale server. The data breach was discovered on June 16, 2018, during a security review. The attackers extracted names, Social Security numbers, and, in almost all cases, dates of birth. In many cases, Yale email addresses were also extracted, and in some cases the physical addresses of individuals associated with the university were compromised as well. 

According to Yale, no financial information was stored in the database and almost all people impacted by the breach were affiliated with the university. 

“In 2011, Yale IT deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time,” the university says

Last week, Yale sent notices of the data breach to impacted members of the Yale community, including alumni/ae, faculty members, and staff members. The university says notices were sent to nearly 97% of the individuals affected, but that it has yet to acquire a verified current address for the remaining 3%.

In a letter (PDF) to the State of New Hampshire Attorney General, Yale also revealed that the same server was hacked a second time between March 2016 and June 2018. The intrusion resulted in the compromise of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire. 

Yale claims that there is no indication that the compromised information has been misused. However, it decided to offer identity monitoring services at no cost, to help users guard against identity theft. 

Advertisement. Scroll to continue reading.

Because the intrusion occurred a decade ago, there is no information on how the attackers hacked the server. Yale also says that “it is not feasible to determine the identities of the perpetrators.”

Related: HR Services Firm ComplyRight Suffers Data Breach

Related: Timehop Data Breach Hits 21 Million Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.