iPhone app iPad app Android phone app Android tablet app More

Gerry Smith
Gerald.Smith@huffingtonpost.com Become a fan of this reporter
GET UPDATES FROM Gerry
 

Yale Social Security Numbers Exposed In Latest Case Of 'Google Hacking'

Yale Hacking

First Posted: 08/24/11 08:43 PM ET Updated: 10/24/11 06:12 AM ET

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy

It is used by millions of people on the Internet every day. Now, it is also used with increasing frequency by hackers seeking sensitive data like Social Security numbers: a Google search.

A recent data breach at Yale University marks the latest example of a security flaw exposed by "Google hacking," which involves querying the popular search engine for website vulnerabilities. For 10 months, names and Social Security numbers belonging to 43,000 people affiliated with Yale were visible through a Google search, the Yale Daily News reported last week.

On Monday, the security firm Identity Finder said it found 300,000 names and Social Security numbers of California residents who applied for workers' compensation benefits by searching Google for common keywords. And in June, an Australian security consultant said the customer database of Groupon's India subsidiary was also visible through a Google search.

"This is happening more and more frequently," said Francis Brown, managing partner at the IT consulting firm Stach and Liu.

Google hacking has been around for a few years, but has recently become easier as Google indexes greater quantities of information, Brown said. While less than 11 million PDF documents were searchable in Google in 2004, there are now 513 million, Brown said.

"Google is so much better at indexing now," Brown said, so hackers "have a better chance of finding interesting things."

The hacker group LulzSec, which has claimed responsibility for hacking Sony, Citigroup, the CIA and the U.S. Senate, has been picking its targets "purely based on whatever they find with their 'google hacking' queries," a group calling itself the "A-Team" claimed in June.

Yale officials said the data, which did not include addresses, birth dates or financial information, was housed on a file transfer protocol (FTP) server. The breach occurred because they were unaware that Google had changed its search engine last fall to find and index such servers, the university's IT director told the Yale Daily News.

Neither Google nor Yale returned requests for comment. But Brown said it was Yale's responsibility to monitor its own security. There is no way for Google to determine whether sensitive data can be exposed in a search result given the vast amount of websites the search engine indexes, he said.

"While Google is making it easier for attackers to identity vulnerabilities, they're not responsible for those vulnerabilities existing to begin with," Brown said.

Google hackers type lines of code into search engines to target vulnerabilities in specific types of software, not institutions, Brown said. At the Black Hat security conference in Las Vegas earlier this month, Brown unveiled tools his firm created to help companies quickly locate their own security flaws through search engines.

The Yale file made public mostly contained the personal information of people who worked for the university in 1999, school officials said. This raises the question of why the university was still storing Social Security numbers belonging to people who may have left the university, according to Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse.

"Is it necessary for those Social Security numbers to be retained? It would seem to me that it's not and so that data should be purged," Stephens said.

The breach at Yale was the latest in a string of security lapses at colleges and universities. On Aug. 10, University of Wisconsin-Milwaukee officials sent letters to about 75,000 current and former students notifying them that a data breach may have exposed their personal information, including Social Security numbers. The cause of the breach was malware, not Google hacking, officials said. Then last week, Purdue University officials notified more than 7,000 former Purdue students that hackers breached a server containing their personal data, including Social Security numbers. The cause of the breach was not given.

Mark Rotenberg, executive director of the Electronic Privacy Information Center, predicted recent security failures would continue as long as there are no incentives for institutions to protect the growing amounts of sensitive information they collect.

"Universities have gone on a binge gathering data without thinking carefully about security practice," Rotenberg said. "We think that puts individuals at risk."

FOLLOW HUFFPOST TECH

It is used by millions of people on the Internet every day. Now, it is also used with increasing frequency by hackers seeking sensitive data like Social Security numbers: a Google search. A recent ...
It is used by millions of people on the Internet every day. Now, it is also used with increasing frequency by hackers seeking sensitive data like Social Security numbers: a Google search. A recent ...
Related News On Huffington Post:
 

 
 
  • Comments
  • 36
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
Page: 1 2  Next ›  Last »  (2 total)
Rob Baron
8 Fans
04:15 PM on 08/29/2011
This headline is so misleading. It has nothing to do with Google hacking anyone, Google is just indexing available information (As Yale, didn't secure it, it has been freely available for download to to world, potentially, longer than the 10 months that Google has indexed it).

It too bad that it is not mentioned that ftp, like http does not use any encryption. Likewise, there is a secure form of ftp (sftp) similar to https, that uses encryption.
Permalink  |
SisterAnn
5407 Fans
06:38 AM on 08/28/2011
When Social Security began, we were promised it would only be used for payroll taxes. When our state required them to be put on our driver's license, I told them I didn't want to have my Social Security number on my license. They had substitute numbers and gave me one. Then the lady at the driver's license desk, said with disgust, 'After this year you will have to put your Social Security number on there'. I said, 'I won't.' and walked out.

By the time I received my next renewal they had figured out they shouldn't put Social Security numbers on driver's licenses.

Social Security numbers are used way too much. We may need to get identity numbers, but Social Security numbers should be top secret.
Permalink  |
HUFFPOST SUPER USER
dbrett480
411 Fans
07:33 PM on 08/25/2011
How is this Google's fault? This is just another attempt to attack Google, while the obvious responsible party (Yale) appears blameless.
Permalink  |
Jenee Andreacola
1 Fans
04:49 PM on 08/25/2011
I don't think Google is at all to blame i think Yale is to blame. Google is just opening up indexs and allowing information that is out there to be read. Its not our fault that Yale didn't know to protect its self from those types of "breachs"
Permalink  |
photo
HUFFPOST SUPER USER
Bryneen Gary
No cash no post
12 Fans
02:35 PM on 08/25/2011
Madness
Permalink  |
HUFFPOST SUPER USER
spoonbill1963
381 Fans
02:12 PM on 08/25/2011
Look folks, if you think you have anything close to real security of personal info, you're kidding yourselves. The federal government alone loses thousands of computers with sensitive data each and every year.
Permalink  |
photo
HUFFPOST SUPER USER
Julia Bailey
302 Fans
10:26 AM on 08/25/2011
Another dumb headline. The breach was Yale's fault, and the problem was that YALE made data accessible through a google search. There was not hacking, and google was not involved.
And Yale sucks for keeping info on people for years. I got a letter last week about the breach, and I graduated years before they created the file.
Permalink  |
This user has chosen to opt out of the Badges program
photo
hommie
23 Fans
12:32 PM on 08/25/2011
Your name is up here and you went to Yale didn't you just make it easy.
Permalink  |
HUFFPOST SUPER USER
zooperman
287 Fans
09:58 AM on 08/25/2011
google hacking?? what a stupid name for finding info publicly available to search engines. The Article should be something like "Yale's IT Department is Run by a Bunch of Morons"
Permalink  |
HUFFPOST SUPER USER
zooperman
287 Fans
09:51 AM on 08/25/2011
"The breach occurred because they were unaware that Google had changed its search engine last fall to find and index such servers, the university's IT director told the Yale Daily News."

No. The breach occurred because the idiots stored sensitive files in a directory that was not password protected on a computer that was open to public access. Their tech people should be fired. They are morons.
Permalink  |
HUFFPOST SUPER USER
spoonbill1963
381 Fans
02:13 PM on 08/25/2011
Fired? I'd prefer jail time.
Permalink  |
photo
Thomas Goodrich
3 Fans
08:54 AM on 08/25/2011
These are interesting times and any server or data repository accessible via the Internet is vulnerable. Generally it doesn't require hacking skills to obtain a lot of presumed private information such as social security numbers and this is often the main indentifier still used to locate records of persons. Congress will eventually need to address privacy issues such as even the public information Google makes available to the world. Many of us in the search and recruiting space can simply conduct Google searches on applicants to prescreen and determine whether or not we or our clients would want to proceed further with interviews and formal background screening. Congress and many states in recent years have passed laws under FCRA forbidding background search companies from reporting certain public information antedated 7 - 10 years to employers, etc.,yet the providers can now be bypassed with a simple Google search. Rather than spend money on background checking, applicants can now be seen in their true light on social media and everywhere else. Yale and their FTP experience is only the tip of the iceberg and Congress will eventually need to take up the issue on the merits of FCRA and whether or not these protections need to be upheld. If Google's autobots can get unfettered access into Yale's system, that system is vulnerable and Yale should be held accountable! As to Google, Congress should investigate on that end as well.
Permalink  |
photo
HUFFPOST SUPER USER
pepper1311
POGS are dirt
542 Fans
10:39 AM on 08/25/2011
Congress wants the ' private sector' to police it self. They seem to be doing a great job!
Permalink  |
Jenee Andreacola
1 Fans
04:52 PM on 08/25/2011
I don't think Google should be investigated. It was Yales breach it was not Googles fault they just have the information. It is a huge Index and it takes in the information that is out there. Yale is accountable for not stepping up their IT department
Permalink  |
photo
HUFFPOST SUPER USER
Joanne Boyer
Author and Editor of Wisdom of Progressive Voices.
599 Fans
08:25 AM on 08/25/2011
And yet we don't think our touch screen, non-paper, electronic voting machines can't be hacked. How stupid are we? Wait, don't answer that.
Permalink  |
HUFFPOST SUPER USER
michaelmr
14 Fans
04:34 AM on 08/25/2011
Since when is doing a google search on information that has been publicly posted considered hacking?
Permalink  |
photo
HUFFPOST SUPER USER
Dan Vasquez
My micro-bio is Open-Source
599 Fans
 
01:52 AM on 08/25/2011
Another smear piece on Google, it's not Google's job to protect other companies data. If I got my SS# hacked I'd sue the idiot who put it on an FTP server.
Permalink  |
HUFFPOST SUPER USER
spoonbill1963
381 Fans
02:14 PM on 08/25/2011
Amen.
Permalink  |
photo
HUFFPOST SUPER USER
twhiting9275
My micro-bio. Totally unrelated to microbiology!
297 Fans
 
12:47 AM on 08/25/2011
Soooooo, let's see here.
Is this Google's fault? No. Why?  Google only did as it was told. Google is a search engine, it's primary objective is to seek out all (public) information and display it for the world.

Is this the IT department's fault? Absolutely. Why? It's THEIR job to ensure that stuff like this is kept, well, private. 

Not much privacy can be expected these days online, but one's social security # is one of those things that absolutely should be private. WTG, failure of an IT department!!!
Permalink  |
photo
HUFFPOST SUPER USER
jsgaetano
"Conservative" is not a political party, genius.
3855 Fans
 
12:28 AM on 08/25/2011
LOL... Yale. They appear cursed after their most infamous graduate made big headlines.
Permalink  |
photo
SNAAPER SNAP
183 Fans
08:15 AM on 08/25/2011
better than Harvard any day
Permalink  |
photo
HUFFPOST SUPER USER
jsgaetano
"Conservative" is not a political party, genius.
3855 Fans
 
11:04 AM on 08/25/2011
Keep telling yourself that. If you say it long enough, you might even start to believe!
Permalink  |
Page: 1 2  Next ›  Last »  (2 total)