Yale flunks information security test

The information was stored on a file transfer protocol (FTP) server used primarily for open source materials, according to a report by the Yale Daily News. The file containing the names and social security numbers, mostly of people who worked for Yale in 1999, was the only sensitive file exposed to the search engine, according to Len Peters, director of Yale’s Information Technology Services.

The university did not discover the breach until June 30, although the information was available on the Google search engine beginning in September 2010, when Google modified its search engine to be able to find and index FTP servers, Peters explained.

“We immediately blocked that server from the Internet, removed the file and did a complete scan of the server to make sure there were no additional at-risk files”, Peters was quoted by the newspaper as saying.

Peters stressed that the information was contained in a “very inconspicuous file name”, so it was “pretty well hidden”, and that other search engines, such as Yahoo, do not index FTP servers.

In response to Peters’ claims, blogger simpsomatt said: “The issue is not whether Google, or any other search engine, indexes your FTP servers. The issue is that you're putting confidential data on servers with apparently no security, and just hoping nobody finds it. If Google was able to index it, then any user could have read it without Google's help. Google just made it more obvious. Placing confidential data on a server that is readable by anybody in the world is not secure, even if you use ‘innocuous’ file names and verify that a couple of the most popular search engines don't index it.”

Yale said it is offering two years of free credit monitoring and identity theft insurance to affected individuals.

What’s Hot on Infosecurity Magazine?