Yale data breach discovered 10 years too late

Yale University discovered it suffered a data breach -- 10 years ago.

The Yale data breach occurred at some point between April 2008 and January 2009, but officials are unsure exactly when it took place. The Yale data breach included sensitive data, such as names, Social Security numbers and birthdates, on an unknown number of people, as well as some email addresses and physical addresses.

Because the Yale data breach happened so long ago, the university claimed it did not have much information on how it occurred. In its announcement of the breach, Yale noted that, in 2011, the school's IT team "deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time."

The Yale data breach was not discovered until June 2018 when the school's IT team was "testing its servers for vulnerabilities and discovered a log that revealed the intrusion."

Ryan Wilk, vice president at NuData Security, based in Vancouver, B.C., said the data included in the breach was more than enough to put users at risk.

"Although financial information was not exposed, even having your Social Security number, name, address and date of birth stolen can still cause problems," Wilk wrote via email. "Cybercriminals can use this information to create a complete profile of students. Add a bit of social engineering, and they can start cracking all types of accounts and even open up new accounts in the students' names."

The school said it notified those students, alumni, faculty and staff members affected by the breach and has offered identity monitoring services.

Zach Seward, chief product officer and executive editor at Quartz, based in New York, was one victim in the Yale data breach, and he relayed his story on Twitter.

Got a letter from Yale saying that hackers obtained my social security number from the university. My one and only interaction with Yale was applying to attend there in 2002. Yale says the breach happened in 2008 or 2009 and was discovered last month. Data have nine lives.

— Zach Seward (@zseward) July 31, 2018

Wilk said it might not be Yale's fault for not discovering the breach sooner.

"Malicious actors are learning not only to access a system, but also to do it without leaving a trace. This extreme sophistication results in hard-to-uncover breaches that can take a long [time] to reveal. We encourage companies and organizations to monitor their security system constantly and to stay alert for any unusual activity," Wilk wrote. "Even if they've checked unusual activity thousands of times and it turned out to be nothing risky, the next time that anomaly may just be your cybercriminal at work."