HARTFORD, Conn. (CN) – Having just disclosed that a data breach 10 years ago compromised the personal information of about 119,000 people, Yale University now faces a federal class action.
Represented by the West Hartford law firm Reardon Scanlon, lead plaintiff Julie Mason notes in the Aug. 1 complaint that received a notice from Yale about the breach last week even though she was never an alumna or employee of Yale.
Indeed Mason’s only connection to the school is that 22 years ago she applied to a visiting student program.
Now her Social Security number and other personally identifiable information has been “accessed and extracted by unauthorized users,” the complaint states.
In the complaint Mason questions why Yale would so carelessly hold onto the sensitive at issue for so many years.
“Yale stored ‘unneeded personal information’ on its servers, including Plaintiff’s and Class members’ Social Security numbers,” the complaint states. “In Plaintiff’s case, Yale stored this ‘unneeded personal information,’ for over 10 years despite that Plaintiff never enrolled at Yale University.
“Yale’s letter also states that ‘Yale considers the protection of personal data of the utmost importance and is taking measures to help you guard against identity theft by offering you identity monitoring services.’ However, in the case of Plaintiff and other Class members, Yale’s offer is simply too little, too late.”
Mason also says that for all these years “Yale concealed that it would maintain Ms. Mason’s Personal Information in its databases even after her application process was concluded.”
Though the breach is thought to have occurred between April 2008 and January 2009, Yale only discovered it this past June while testing its servers.
Mason, a New York resident, says Yale then made matters worse by waiting a month to disclose that the breach involved information, including names, dates of birth, and Social Security numbers.
“As of August 1, 2018, Yale still has not notified all of the individuals affected by the data breach,” the complaint states.
Representatives for Yale have not returned an email seeking comment. A statement on the school’s website says the university “stopped using Social Security numbers as routine identifiers in 2005, and we regularly seek to identify and delete unnecessary files with personal information.”
In addition to class certification and punitive damages, Mason demands that Yale employ and maintain appropriate systems and policies to protect personal information and to promptly detect, and timely and accurately report, any unauthorized access to that data.
She is represented by James Reardon of Reardon Scanlon.