Google search change leads to major higher-ed security breach


IT experts say campuses should more quickly adjust to Google search changes.

A modification in the way Google searches the web exposed the Social Security numbers of 43,000 people affiliated with Yale University, highlighting another data storage vulnerability that could vex campus IT leaders and prompting questions from technologists who are skeptical of colleges’ commitment to securing sensitive information.

The Yale breach is the latest high-profile data security incident in higher education—one that originated in September 2010, when Google announced its searches would include file transfer protocol (FTP) servers, which previously had been off-limits to general internet queries.

Read more about data breaches in higher education…

The Final Four no college wants to make

More customers exposed as big data breach grows

University faces lawsuit after security breach

Social Security numbers of students, faculty, and alumni affiliated with the prestigious university in 1999 were available on the web for anyone to see after Google made its search change to include FTP servers, according to a Yale announcement released Aug. 26.

“Yale has secured the file, and Google has confirmed that its search engine no longer stores any information from the file,” the university said in its statement, adding that the school’s exposed file didn’t include financial information, birth dates, or other sensitive information.

Still, Yale has hired a data security firm to monitor credit reports at all three major credit bureaus for people affected by the data breach. The university launched a response center for anyone whose Social Security number was included in the breach, which was first discovered by Yale officials in late June.

Ondrej Krehel, a blogger for information protection company Identity Theft 911, wrote in an Aug. 23 post that the age of the files kept on Yale’s exposed FTP server should raise red flags for colleges and universities that might keep old information on campus servers.

“One could question the logic behind retaining records that are 12 years old,” Krehel wrote. “As a best practice, institutions should have in place a data retention and destruction policy as part of an organizational privacy framework that lays out a plan for the maintenance and lifecycle of personal data in their organization.”

Higher education IT officials rank cyber security among their most pressing responsibilities, but old security programs and methods have plagued campuses as hackers find ways around the technology, said Frank Andrus, chief technology officer of Bradford Networks, a computer security company based in Massachusetts.

“By and large, we find that educational institutions are very serious about data security,” he said. “Unfortunately many depend on home-grown security solutions – often developed by former students – that have long outlived their usefulness.”

The Yale breach is the latest case of “Google dorking,” a phrase bounced around the web referring to hackers’ persistent efforts to hijack personal information via the world’s most popular search engine.

Faculty members, students, and parents should be alarmed that Yale’s technology officials weren’t aware of the exposed server until 10 months after Google made its much-publicized announcement about the FTP servers, said Sue Marquette Poremba, a writer for ITBusinessEdge.com.

“You would hope that IT professionals, especially any who are in charge of security matters, keep abreast of changes, updates, or upgrades of applications like Google,” Marquette Poremba said. “To me, this points out why funding for IT security has to be a priority, especially in the education sector.”

Marquette Poremba also questioned the necessity for Google’s web searches to include such thorough examinations of files that were private until last fall’s search modification.

“Is there a reason why Google has to make searchable everything ever stored on a computer?” she said. “Thanks to Google, virtually nothing is private anymore.”

Just one cyber security slip-up, Krehel wrote, and a university or business is at serious risk of leaving its students, clients, or customers at the mercy of hackers trolling the web for personal information.

“Knowing where your data [are] located, what are the access control mechanisms, and having an audit process to verify that resources are properly used, is generally part of every cyber-risk program,” he wrote. “When one of them fails, a data breach is inevitable. Meanwhile, breach victims are left in the lurch.”

Sign up for our newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.