Turns out Yale has more than a few Skull and Bones in the closet.
The Ivy League school fell prey to Google hacking, also known as Google dorking, when cybercriminals use Google search functions to access data on the Internet. USA Today's Bryon Acohido has a great post on the topic.
The practice is becoming more common. The latest victims: More than 43,000 Yale faculty, staff and students, both current and former as of 1999. Their personal data, including names and Social Security numbers, was stored on an FTP server accessible through a Web search.
Google started indexing FTP server data in September 2010 as part of changes to its search engine collection roadmap. As a result, FTP server data available worldwide was indexed by Google Spider. Yale learned of the breach on June 30. The data was available on the Internet for the past 10 months.
Three points worth further exploration immediately come to mind:
- If Google had access to data through ordinary FTP searches, who else could access the information? Is it possible that other collectors of FTP server data cached and accessed the compromised files?
- When this happens to educational institutions like Yale, it's obvious that the schools don't have a comprehensive program for monitoring content on the Internet. Schools can implement such programs either through a paid service or by creating their own specified Google Spider searches and reviewing them periodically.
- Finally, the exposed records date back to 1999. One could question the logic behind retaining records that are 12 years old. As a best practice, institutions should have in place a data retention and destruction policy as part of an organizational privacy framework that lays out a plan for the maintenance and lifecycle of personal data in their organization.
Knowing where your data is located, what are the access control mechanisms, and having an audit process to verify that resources are properly used, is generally part of every cyberrisk program. When one of them fails, a data breach is inevitable.
Meanwhile, breach victims are left in the lurch. We encourage folks whose data has been compromised to check with their bank or insurer to see if they qualify for CyberScout services.