Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Yale University Discloses Decade-Old Data Breach

“Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred.”

“Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred.”

Yale University revealed that hackers accessed one of its databases between 2008 and 2009 and accessed the personal information of 119,000 people. 

The intrusion happened between April 2008 and January 2009 and apparently affected a single database stored on a Yale server. The data breach was discovered on June 16, 2018, during a security review. The attackers extracted names, Social Security numbers, and, in almost all cases, dates of birth. In many cases, Yale email addresses were also extracted, and in some cases the physical addresses of individuals associated with the university were compromised as well. 

According to Yale, no financial information was stored in the database and almost all people impacted by the breach were affiliated with the university. 

“In 2011, Yale IT deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time,” the university says

Last week, Yale sent notices of the data breach to impacted members of the Yale community, including alumni/ae, faculty members, and staff members. The university says notices were sent to nearly 97% of the individuals affected, but that it has yet to acquire a verified current address for the remaining 3%.

In a letter (PDF) to the State of New Hampshire Attorney General, Yale also revealed that the same server was hacked a second time between March 2016 and June 2018. The intrusion resulted in the compromise of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire. 

Yale claims that there is no indication that the compromised information has been misused. However, it decided to offer identity monitoring services at no cost, to help users guard against identity theft. 

Because the intrusion occurred a decade ago, there is no information on how the attackers hacked the server. Yale also says that “it is not feasible to determine the identities of the perpetrators.”

Related: HR Services Firm ComplyRight Suffers Data Breach

Related: Timehop Data Breach Hits 21 Million Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...