"But it?s not clear whether Google?s index change is to blame, or whether Yale borked up by putting the social security numbers on an unprotected FTP server."
I would think it's pretty clear? Google's spiders are gonna eventually search anything they can access?
Yale having a block of PII data unencrypted on a server facing the internet... I don't see how Google can be blamed for that one?
I mean, maybe... at a stretch... Google should have employed some time of logic that flagged these as SSNs (if they don't have this logic already)? But, still, that's a stretch
Around 43,000 names and social security numbers of staff, students and alumni members of Yale University, have been searchable via Google for the last ten months.
Facepalm.
Discovered in June, officials say that there is no evidence to suggest that the information has been exploited.
The data, which contains information on staff and employees since 1999, was held on an unsecured FTP server — hidden from search engines until September 2010 — until Google started indexing FTP servers.
Reported to have an “innocent sounding” file and directory naming structure — the fact is, the data should not have been stored there in the first place.
Suffice to say, had this happened in England, the data protection agency, the Information Commissioner’s Office, would have burst a blood vessel over this one.
But it’s not clear whether Google’s index change is to blame, or whether Yale borked up by putting the social security numbers on an unprotected FTP server.
This comes as many other universities and colleges have suffered data lapses and breaches this summer.
Purdue University suffered a hack earlier this year, which affected students over a five year period, where social security numbers and other personal information of over 7,000 former students was left exposed.
The University of Wisconsin continues to investigate a breach which exposed over 75,000 social security numbers of student and staff. Malware was the cause of the breach, which is believed to have attacked a research repository server in a bid to access material yet to be released to the public.
Earlier this year, hackers attached to the 4chan messaging board attacked a New Jersey school district’s databases. Instead of just stealing data, hackers changed students’ grades and school dinner prices to $9,000.
The University of Kent also caused controversy by unlawfully disclosing disability data of students — myself included — for which was then investigated by the UK’s data protection agency.
The ICO also began an investigation in March where the data of 17,000 students from the University of York was leaked on its website — including personally identifiable information like dates of birth and qualification grades from previous examinations.
It has not been a great year for data protection of students. Having said that, no wonder European countries do not want to share its data with the United States — considering the data protection laws are appalling.
Related content:
- University of Wisconsin hacked: 75,000 social security numbers, student names exposed
- 4chan students hack district schools; Changed grades and $9,000 meals
- University of Kent ‘unlawfully’ disclosed disability data
- Safe Harbor: Why EU data needs ‘protecting’ from US law
- University in ’serious’ data breach; Publishes 17,000 students’ data
- CBS News: Google change exposed Yale social security numbers to would-be hackers
- CNET: Yale oversight exposes 43,000 Social Security numbers
