Yale University Data Breach

Yale officials are confirming Social Security Numbers Accessed in Yale University Data Breach. NBC reports the breach occurred between April 2008 and January 2009, and in 2011, Yale deleted personal information in that database as part of an effort to protect personal information on Yale servers, and was not aware at that time of the breach.

Ryan Wilk, Vice President at NuData Security:

“Yale University is taking steps to help amend the potential damage of this breach by advancing the forensic investigation and contacting all affected parties as soon as possible.

On the flip side, although financial information was not exposed, even having your social security number, name, address, and date of birth stolen can still cause problems. Cybercriminals can use this information to create a complete profile of students. Add a bit of social engineering, and they can start cracking all types of accounts and even open up new accounts in the students’ names.

Protecting data from breaches is becoming increasingly challenging, but innovations in technology and following best practices can help organizations detect and mitigate the damage after a data breach.

Organizations can do this by implementing intelligent ways to authenticate their users so that the stolen personally identifiable information is not enough to access an account. Organizations need security multi-layered intelligence that can evaluate not just the data but also the user behavior through passive biometrics and behavioral analytics. Behavioral-based authentication methods are proving to be extremely efficient in tackling this threat and keeping users’ accounts safe. Multi-layered solutions that evaluate the user’s behavior give a true insight into who is behind the device – and provide high accuracy on whether it is the consumer or a cybercriminal using consumers’ correct credentials.

Recognizing users’ online behavior, instead of basing a decision on a password, means that bad actors can’t use the stolen credentials to open an account, making leaked credentials valueless.”

Mark Zurich, Senior Director of Technology at Synopsys:

“Back in 2008-2009 very few companies were aware of such a cyber threat, nor were they taking the necessary precautions. I am not surprised that more companies and educational institutions have not come forward to divulge breaches that happened in the distant past. Perhaps they do not feel obligated to do so after a certain point. That being said, Yale is doing the right thing by making this breach public. This may (and should) wake up more educational institutions to the danger.

It is interesting that Yale noticed the breach once they started to take actions to protect their network and their data, which plays into the meta point here. This is also a problem that goes beyond educational institutions. They should have an IT department in this day and age just like any company would; depending on the size of the institution, they may even require a CISO. The IT resources within all educational institutions need to be trained, prepared, and equipped to protect the infrastructure and critical assets of that organization.

To boost your security stance, a comprehensive strategy and plan to protect your network and your data is absolutely necessary. Continuous monitoring of critical assets is also a must. Additionally, external penetration testing should be conducted on a regular basis.”