Yale exposes confidential security documents on unsecured server

The Yale Emergency Operations Team placed its confidential plans and procedures for natural and manmade disasters on the Yale NetID system, an unsecured server used by undergraduate and graduate students, faculty and staff, and alumni. The plans assess the risks of bombings, shooting rampages, and attacks on visiting dignitaries, as well as procedures for evacuation and emergency notifications, according to the paper.

On Monday, the newspaper informed Yale’s deputy secretary for the university, Martha Highsmith, who oversees the emergency operations, about the availability of the confidential documents. On Tuesday, the link to the documents was removed from the Emergency Management website on the Yale NetID system.

“We are reviewing what emergency planning information to post and in what form, and will be following up,” she told the newspaper on Tuesday. “In the meantime, the information is no longer broadly available.”

The documents include a 35-page Emergency Operations Plan as well as files concerning risk assessment and evacuation specifics, for example, detailing how Yale would set up a field hospital during a mass illness. Highsmith said she was most concerned about the listing of 24-hour contact information for important university officials and operations instructions for Yale’s notification system.

A security analyst consulted by the newspaper said that contact information for top university officials and instructions for operating the emergency communications system should not have been publicly available online.

“I will assume that the administration will [now] probably be reviewing what should be accessible to whom and how it is stored and made accessible to those who need the information”, said Dolores Stafford, the president and chief executive of D. Stafford and Associates, a consulting firm specializing in campus safety and security.

What’s Hot on Infosecurity Magazine?