Despite its reputation as having the top law school in the country, Yale University is facing a second lawsuit after the personal information of more than 100,000 students was stolen by hackers in a data breach, according to GazetteXtra.
Between April 2008 and January 2009, electronic records containing social security numbers, dates of birth and both email and home addresses of students was stored on a Yale database. A routine review of its servers revealed that hackers had gained access to the servers and obtained the data of thousands of students, including defendant Andrew Mason.
Because the attack took place more than a decade ago, Yale reportedly said that it would not conduct an investigation. Mason’s lawsuit claims that Yale “improperly retained personal information, which was subsequently transferred to unauthorized persons during the breach, as evidenced by its statements that the personal identification information compromised in the breach was deleted from servers in September 2011 because it was unnecessary personal data.”
Industry experts believe that more lawsuits are likely to come, not just for Yale but for any organization that has mishandled the personal information it collects. “It is just going to continue until organizations realize that doing nothing is no longer acceptable and that security must be prioritized and taken seriously,” said Joseph Carson, chief security scientist at Thycotic.
“What is clear is that this data breach is a result of poor security hygiene and poor data hygiene that resulted in thousands of victims. Offering 12 months of free identity protection services is not sufficient, as the students identities can be abused or stolen for many years after an incident has occurred. Therefore, the minimum protection should be for at least five years."
With regard to Yale's stance that attribution at this time is going to be very difficult given that so much time has passed since the data breach, Carson agreed.
“Other universities should consider this as a lesson and prioritize cybersecurity immediately and ensure that they have done a data impact assessment and a risk-based assessment to determine how exposed they might be and what actions they must take," said Carson.
"The recent EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act are both taking personal identifiable information very seriously and any similar data breach that occurs moving forward could mean universities facing massive financial penalties of $20 million or more.”