Google index change exposes 43,000 Yale social security numbers

Google index change exposes 43,000 Yale social security numbers

Summary: Another day, another serious data breach. This time, Yale University left social security numbers on an unsecured server, and complained when Google indexed it. Facepalm.

SHARE:

Around 43,000 names and social security numbers of staff, students and alumni members of Yale University, have been searchable via Google for the last ten months.

Facepalm.

Discovered in June, officials say that there is no evidence to suggest that the information has been exploited.

The data, which contains information on staff and employees since 1999, was held on an unsecured FTP server -- hidden from search engines until September 2010 -- until Google started indexing FTP servers.

Reported to have an "innocent sounding" file and directory naming structure -- the fact is, the data should not have been stored there in the first place.

Suffice to say, had this happened in England, the data protection agency, the Information Commissioner's Office, would have burst a blood vessel over this one.

But it's not clear whether Google's index change is to blame, or whether Yale borked up by putting the social security numbers on an unprotected FTP server.

This comes as many other universities and colleges have suffered data lapses and breaches this summer.

Purdue University suffered a hack earlier this year, which affected students over a five year period, where social security numbers and other personal information of over 7,000 former students was left exposed.

The University of Wisconsin continues to investigate a breach which exposed over 75,000 social security numbers of student and staff. Malware was the cause of the breach, which is believed to have attacked a research repository server in a bid to access material yet to be released to the public.

Earlier this year, hackers attached to the 4chan messaging board attacked a New Jersey school district's databases. Instead of just stealing data, hackers changed students' grades and school dinner prices to $9,000.

The University of Kent also caused controversy by unlawfully disclosing disability data of students -- myself included -- for which was then investigated by the UK's data protection agency.

The ICO also began an investigation in March where the data of 17,000 students from the University of York was leaked on its website -- including personally identifiable information like dates of birth and qualification grades from previous examinations.

It has not been a great year for data protection of students. Having said that, no wonder European countries do not want to share its data with the United States -- considering the data protection laws are appalling.

Related content:

Topics: Google, Banking, Enterprise Software, Government, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • RE: Google index change exposes 43,000 Yale social security numbers

    [i]"But it?s not clear whether Google?s index change is to blame, or whether Yale borked up by putting the social security numbers on an unprotected FTP server."[/i]

    I would think it's pretty clear? Google's spiders are gonna eventually search anything they can access?

    Yale having a block of PII data unencrypted on a server facing the internet... I don't see how Google can be blamed for that one?

    I mean, maybe... at a stretch... Google should have employed some time of logic that flagged these as SSNs (if they don't have this logic already)? But, still, that's a stretch
    UrNotPayingAttention
  • RE: Google index change exposes 43,000 Yale social security numbers

    I think the fact that Yale put it in an unsecured FTP server is pretty self-explanatory in this case. You would think an institution of Yale's stature would know better. But then again, they're known more for their politicians than engineers.
    hoaxoner
  • RE: Google index change exposes 43,000 Yale social security numbers

    Yea, it's YALE's fault 100%. Google can't be responsible for knowing at a moments notice what the spider is picking up. Yale should not of posted it. Change your story title, it sounds like a crass attempt at making google look bad.
    Doug0915
    • RE: Google index change exposes 43,000 Yale social security numbers

      @Doug0915

      <i>"... like a crass attempt at making google look bad."</i>

      At every turn. It doesn't stop here at Zdnet.
      Return_of_the_jedi
    • RE: Google index change exposes 43,000 Yale social security numbers

      @Doug0915 It doesn't take much to make Google look bad. They do that well enough on their own.
      jhammackHTH
  • Google is not to blame

    <i>"But its not clear whether Googles index change is to blame, or whether Yale borked up by putting the social security numbers on an unprotected FTP server."</i><br><br>If the spidering was carried out by a human or a group of humans, verified and published then Google would have to take some of the blame. <u><b>HOWEVER</b></u> a search engine spider, is not an actual spider that delivers results to a team of people; its just a pile of 1's and 0's doing <b><u>EXACTLY</b></u> what it was programmed to do; search every corner of the internet.<br><br>To a search engine SSN's are seemingly random strings, imagine how many websites use random strings for URL's and how small search results would be if these were omitted by Google.<br><br>The IT department that were dumb enough to keep sensitive data on an unsecured FTP server and not notice for 10 months should be held accountable, not the search engine!<br><br>To blame Google is no different to blaming the person who finds a <i>"suspicious package"</i> at a train station and not the people who put it there!
    Parassassin
  • I have to agree

    Misleading title.
    deschutescore@...
  • RE: Google index change exposes 43,000 Yale social security numbers

    I gotta agree with most on here. You don't put SSNs on a public-facing server, ever, particularly not an unsecured one. The public Internet is basically the same as the public domain. Google can search and index everything it wants that's unsecured and public-facing. It's the responsibility of the server admin to make sure that no personal information is publicly available.
    swmace
    • RE: Google index change exposes 43,000 Yale social security numbers

      @swmace <br><br>Why are SSNs on a <i>file server</i>? Food for thought.<br><br>PS. Shouldn't those be in the main office in the <i><a href="http://www.worksafetech.net/catalog/images/file_cabinet_lock.gif" target="_blank">file cabinet</a></i>.
      Return_of_the_jedi
      • a file cabinet .......so 1950's.....yeh ...... but it might work

        @Return_of_the_jedi .... that's something even Loverock Davidson would go for, as long as held the keys ....... than we know everything would be real safe :-)
        Over and Out
  • Facepalm...

    Perdue University? For some reason I envision chickens wearing mortarboards...
    cabdriverjim
    • You stole my thunder...

      @cabdriverjim
      First thing I thought when I read that was the next class of graduating chickens and turkeys. Dandelion fed, of course.
      jasonp@...
      • RE: Google index change exposes 43,000 Yale social security numbers

        @jasonp@... Good catch, thanks. Corrected!
        zwhittaker
  • Oops!

    Not much left to say, except "Isn't this a great form of economic and societal structure as well live in?"
    HypnoToad72
  • Message has been deleted.

    thx-1138_