Turns out Yale has more than a few Skull and Bones in the closet.
The Ivy League school fell prey to Google hacking, also known as Google dorking, when cybercriminals use Google search functions to access data on the Internet. USA Today’s Bryon Acohido has a on the topic.
The practice is becoming more common. The latest victims: More than 43,000 Yale faculty, staff and students, both current and former as of 1999. Their personal data, including names and Social Security numbers, was stored on an accessible through a Web search.
Google started indexing FTP server data in September 2010 as part of changes to its search engine collection roadmap. As a result, FTP server data available worldwide was indexed by Google Spider. Yale learned of the breach on June 30. The data was available on the Internet for the past 10 months.
Three points worth further exploration immediately come to mind:
- If Google had access to data through ordinary FTP searches, who else could access the information? Is it possible that other collectors of FTP server data cached and accessed the compromised files?
- When this happens to educational institutions like Yale, it’s obvious that the schools don’t have a comprehensive program for monitoring content on the Internet. Schools can implement such programs either through a paid service or by creating their own specified Google Spider searches and reviewing them periodically.
- Finally, the exposed records date back to 1999. One could question the logic behind retaining records that are 12 years old. As a best practice, institutions should have in place a data retention and destruction policy as part of an organizational privacy framework that lays out a plan for the maintenance and lifecycle of personal data in their organization.
Knowing where your data is located, what are the access control mechanisms, and having an audit process to verify that resources are properly used, is generally part of every cyberrisk program. When one of them fails, a data breach is inevitable.
Meanwhile, breach victims are left in the lurch. We encourage folks whose data has been compromised to check with their bank or insurer to see if they qualify for Identity Theft 911 services.
Data breach victims can also follow these 6 tips to protect their identities.
Ondrej Krehel, Chief Information Security Officer,
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.
One Response
Leave a Reply
Identity Theft 911 is the nation’s premier consultative provider of identity and data risk management, resolution and education services. To learn more, visit .
Categories
- Adam Levin (19)
- Betty Chan-Bauza (5)
- Brian McGinley (14)
- Child Identity Theft (14)
- Data Breach (40)
- Debt Tagging (2)
- Digital Forensics (4)
- Eduard Goodman (18)
- Hacking/Viruses (40)
- Identity Protection (59)
- Identity Theft (64)
- Industry Data & News (76)
- Internet Safety (37)
- Matt Cullina (15)
- Media (2)
- Mobile Security (15)
- Ondrej Krehel (56)
- Podcast (10)
- Privacy (37)
- Security (56)
- Social Media (13)
- Tax Fraud (8)
- Uncategorized (1)
- Victor Searcy (1)
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
[...] Yale Gets Google Dorked [...]