Yale University
10,200 SSNs Exposed After Yale Computer Theft
Quick Facts
- Date: 8/8/2007
- Institution: Yale University
- Type of Incident: Theft
- Number Affected: 10,200
- Source: ESI
- Abstract Source: Yale Daily News
Abstract
Yale University is alerting 10,000 current and former students and about 200 staff members over the exposure of Social Security Numbers following the recent theft of two Yale computers. The computers in question were stolen from the Yale College (the undergraduate program) Dean's Office. These two computers contained the names and Social Security numbers of current and former students and some staff members but did not contain any financial information. The stolen computers are password protected and Yale officials believe the risk to individuals is low since the thief was most likely after the computer hardware and not the data. These files were not maintained on these computers for any purpose but were instead overlooked during recent Yale efforts to reduce the amount of PII on personal computers.
Hackers Use Yale Name To Spread WMF Exploit
Quick Facts
- Date: 1/9/2006
- Institution: Yale University
- Type of Incident: Impersonation
- Number Affected: Unknown
- Source: InfoSec News
- Abstract Source: Yale Daily News
Abstract
A forged e-mail address of a Yale professor was used by hackers to spread a variant of the WMF exploit. The e-mail attempts to fool recipients into clicking on an included hypertext link. The e-mail is from a factious "Professor Robert Gordens" and asks the recipients for help in catching a graffiti vandal. Yale has not been linked to this WMF attack but has already received over 30 complaints from British citizens.
Princeton Student Hacks Yale Computer System
Quick Facts
- Date: 8/14/2002
- Institution: Yale University
- Type of Incident: Penetration
- Number Affected: 11
- Source: INFOSEC Year In ReviewNewsScan
- Abstract Source: NewsScan via INFOSEC Year In Review
Abstract
Princeton University has admitted that its admissions personnel hacked into rival Yale's computer system to check on the applications status of 11 students who also had applied to Princeton. The university has suspended with pay its associate dean and director of admissions, and a spokeswoman expressed deep regret "that information provided by students in good faith to the university was used inappropriately by at least one official in our admissions office." The perpetrator(s) apparently were easily able to access the students' records via the publicly available Yale.edu Web site because they already had the students' passwords -- the names, Social Security numbers and dates of birth they had provided on their Princeton applications. The site had been set up with a feature that enabled students to check on the status of their applications themselves. The founder of one electronic-rights group noted that while Princeton's actions clearly were wrong, it was foolish of Yale to rely on Social Security numbers and birth dates to secure student data. "It's not enough to have a weak Web site and depend on the good ethical behavior of others not to penetrate it," he said. "Similarly, it is not dequate to say that just because you found the weak Web site you should go ahead and penetrate it." (Wall Street Journal 26 July2002)
[Abstract taken directly from INFOSEC Year In Review]
