Yale Exposes 43k SSN’s

Another University just lost some cred.  ComputerWorld is reporting that Yale University has notified about 43,000 faculty, staff, students and alumni affiliated with Yale in 1999 that their names and Social Security numbers were publicly available via Google search for about 10 months.  The breach resulted from a File Transfer Protocol (FTP) becoming searchable via Google as the result of a change Google made last September, according to the Yale Daily News.  Yale IT Services Director Len Peters said the FTP server in question was used mainly for open-source materials.

When Yale discovered the breach in June, it immediately took the server offline, deleted the sensitive data and examined the server for other sensitive data.  Yale officials have not clarified how the data was compromised, how the breach was discovered, or whether any of the data was actually accessed.  The victims are being offered identity theft insurance and free credit monitoring services for two years.

In June, Southern California Medical-Legal Consultants Inc. (SCMLC) said that the names and Social Security numbers of about 300,000 people who had filed for California workers compensation had been potentially compromised.  That breach resulted when an internal server on which the data was stored became exposed to web searches.  In that case, SCMLC learned of the breach from security firm Identity Finder.  Identity Finder said that its researchers had uncovered 3,875 uncompressed files containing gigabytes of personal data on an SCMLC server exposed to the Web.

The files were not encrypted or password-protected and were cached by at least one major search engine.  The company worked with Google to clear caches.  As of today, Google caches are clear of sensitive personal information from SCLMC.

Yes, Google exposed the FTP servers.  However, the FTP servers should not have been configured to be reachable, searchable, or holding that kind of information in an easily indexable fashion.  How much do you want to bet it was simply convenient to just drop it there?  Oops.