Data Intrusion Response

INFORMATION FOR THE YALE COMMUNITY, INCLUDING PERSONS WHO RECEIVED NOTICE 

On July 26th and 27th, Yale mailed notices to members of the Yale community, including alumni/ae, faculty members, and staff members, who were affected by a data intrusion that occurred in 2008-2009.    A model of the notice letter mailed to U.S. residents can be found here

We understand the concern and inconvenience that events of this kind cause to people who are affected by them.  Yale is offering identity monitoring services to all affected U.S. residents through Kroll.  If you have received a notice letter, please contact the telephone number in your letter.   If you did not receive a notification letter, but based on the additional details below, are concerned that you may nonetheless have been affected by the intrusion , please call 1-833-228-5711 for further assistance.

Below are answers to questions that you may have about this matter.  

How did the intrusion occur?

Between April 2008 and January 2009, intruders gained access to a database stored on a Yale server.  Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred.  In 2011, Yale IT deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time.

What information about me was taken? 

The data included names and Social Security numbers and, in nearly all cases, dates of birth.  In many cases, there were also Yale e-mail addresses and, in some cases, physical addresses.  There was no financial information about anyone.  Almost all of the people affected were affiliated with Yale.  

How did Yale learn about this?

In June, Yale was testing its servers for vulnerabilities and discovered a log that revealed the intrusion. 

What is Yale doing to make sure this doesn’t happen again and how can I be sure my information isn’t vulnerable to another intrusion?

Yale has taken a number of important steps to prevent this type of intrusion.  First, Yale stopped using Social Security numbers as routine identifiers in 2005, and we regularly seek to identify and delete unnecessary files with personal information.  Second, Yale has placed strict limitations on the sharing of Social Security numbers within the University.  Third, Yale is systematically testing its data center servers to identify possible vulnerabilities.  It was that testing program that led us to discover the intrusion into your information.

Is my Social Security number held anywhere else at Yale? 

Yale is required to keep a record of the Social Security numbers of Yale faculty, staff, and students to meet tax and other legal requirements. 

What steps did Yale take after it learned of this intrusion?

Before sending out any letters, we needed to understand the nature of the problem so that we could provide advice and help.  We located addresses for  the large majority of affected individuals, arranged for identity monitoring services through Kroll and set up a response center.  Then we sent letters to as many of affected people as we could locate, while tasking the response center also to assist those people whom we have yet to locate.

I did not receive a letter but am concerned that I still might have been affected by the intrusion.  What are my options?

If your affiliation with Yale did not commence until after January 2009, then there is no reason to believe that your information was compromised in this data breach.   In addition, Yale has obtained verified address information for and is notifying by mail nearly 97% of the individuals affected.  If you believe that you may have been affected and yet do not receive a notice from us, by mail,  you may call 1-833-228-5711  for assistance.   Yale will check the information that you provide against the list of individuals affected.  If your name is on that list, we will promptly offer you the same identity monitoring services that we also are offering to other members of the community.  For your protection, please use this telephonic system to communicate about this matter with Yale.  Please do not email any details that relate to your personal information.

Do you know who did this?

We do not.   Experts advise us that it is not feasible to determine the identities of the perpetrators.

How big is the risk to me?  Do I really need identity protection services?
It is difficult to judge the seriousness of the risk, but we do think it is advisable for any U.S. resident whose data was affected to register for identity protection services.  Yale is offering the services at no cost to affected persons.

My spouse/partner is also affiliated with Yale.  Will they receive identity protection services?

Yale is only offering identity monitoring services to U.S. residents whose information was extracted from the affected database.  If your spouse/partner did not receive a notice letter, then their information was not affected.

Date: July 26, 2018