Google Hack Exposes Yale

Sue Marquette Poremba

Thanks to Google, virtually nothing is private anymore.


News broke over the past couple of days that Yale had 43,000 names and Social Security numbers exposed on Google. The breach, apparently, was a direct result of a change Google made last fall. According to Computerworld:

Slide Show

10-Step Security and Vulnerability Assessment Plan

Use this plan to ensure your information system controls are correctly implemented.

In September 2010, Google made a change that allowed its search engine to index and find File Transfer Protocol (FTP) servers. But university IT officials were unaware of the change.

The exposed data was on an FTP server at Yale.


There are two situations at play here, I believe. First is Yale's admission that its IT professionals were unaware of a significant change in Google's search engine indexing. You would hope that IT professionals, especially any who are in charge of security matters, keep abreast of changes, updates or upgrades of applications like Google. To me, this points out why funding for IT security has to be a priority, especially in the education sector.


Second, is there a reason why Google has to make searchable everything ever stored on a computer? The ability to find more and more sensitive information through Google searches has led to a rise in what is called "Google hacking," or as USA Today described it:

Also known as Google dorking, Google hacking refers to cybercriminals' enterprising use of Google's advanced search functions to find caches of valuable data ripe for the taking.

At the Black Hat conference, two researchers presented a series of tools that will speed up the process of finding security vulnerabilities in popular search engines, according to InformationWeek. These tools will allow security folks to Google hack their organizations so they can find out how and where the bad guys could attack and hopefully thwart the attack before it happens.


So, we moved from performing an ego search or setting up a Google Alert to let us know what is posted about ourselves, to now getting to Google hack ourselves to find out what we don't want anyone to see.


Yale should be held responsible for not being current on these changes to Google (and Yale has offered free credit monitoring and identity theft insurance to the 43,000 whose info was exposed), but there needs to be a limit at what can and cannot be searchable on an Internet search engine.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.