Whose head is going to roll for this one? Knowing Georgetown University, the answer is... (drum roll) absolutely no one.

This is absolutely ridiculous. Unacceptable. Unencrypted data on 40,000 students with social security numbers? Who's the moron who thought of that one?

Question, though. It says in the title that 38,000 SSNs may have been exposed, but then notes that since 1999, "the university has been using more GOCard numbers and NetIDs as student identification rather than Social Security numbers." Does that mean that post-1999, the Social Security numbers weren't listed?

By the way I read the article, I'm assuming that SSNs were also compromised. While the university uses GOCard numbers, insurance companies don't.

I agree. This is absurd. Someone needs to be accountable, and the university students and staff who could be compromised should have been notified. How appropriate is it that the student newspaper should be the one to tell all of these folks that their information could now be on the black market?

Georgetown University - start taking some responsibility.

The hard drive was missing since January 3rd? Since its disappearance, what measures have the administration taken to protect the identities within?

This is absolutely absurd. A theft happens; that's terrible. The university doesn't encrypt privileged information; simply ridiculous. We aren't informed of this until now? Completely unforgivable.

This is absolutely unacceptable for several reasons. First of all, the discovery of this theft was made quite a while ago, and we should have already been informed by the University itself first rather than The Hoya (I'm sorry, but if The Hoya hadn't printed this article, I find myself wondering if we EVER would have found out). And secondly, WHY was this data unencrypted? Inexcusable that this information was not treated more carefully.

This is crazy. Why has it taken the University so long to make this information public. Another question to be asked is why in the world are they backing up their data on a portable hard drive that was not secured inside the office? I hope they are going to offer those affected free credit watch services. How many other offices within the University do the same thing?

Wow, that last paragraph shows a complete lack of any kind of accountability. Just because it was a theft doesn't mean that they don't have to take any responsibility in the poor and unacceptable handling of sensitive student information. An unencrypted backup sure seems like human error to me.

While it's very unfortunate that this happened, I don't think that thefts like this can be completely prevented. I'm a recent alum, so I assume that I'll receive one of those letters soon telling me that my information was taken. Sure, the University should take as many precautions as possible to protect the identity of students. But, many major banks and financial institutions, as well as the Social Security Administration itself, have lost hard drives and data in recent years. I think the real problem is the burgeoning amount of electronic data that is stored regarding each of us. When that much information is recorded in so many different places, it seems like these types of occurrences may not be preventable.

So, should Georgetown institute more safeguards to prevent this from happening in the future? Yes. Would all the safeguards in the world guarantee that this couldn't happen again? No.

Another example that Georgetown administration is a complete joke being run by total hacks. Why would someone who was being entrusted with this information not be required to password protect it? So glad that this was finally brought to my attention so that I can take precautions. Thanks for reporting.

just another incident where Gtown tries to hide what happened to cover its own. this is embarassing. sometimes i wonder how i managed to spend 4 years there with things like this constantly going on.

Georgetown has in many ways become a joke. I'm a recent graduate and can say, now that I am at a different university and have some comparison, that Georgetown treats its students with disdain and lives entirely off of its location and celebrity professors. This is not to implicate the faculty members or the students, many of which are excellent, but an absolutely incompetent administration. It does not surprise me in the least that this information has to be uncovered by the Hoya for anyone to find out. DeGioia gets paid how much???

The only thing this article is missing is the phone numbers for this office so anybody interested can start calling in and demanding some answers. The only thing Georgetown's administration listens to is money, if we can get the word out to alums to start waving the "fix this or kiss your donations good bye" flag, you might actually see things like free credit reports and more security in the future. Otherwise they'll keep up the same dog and pony show that they use on every other issue they've dealt with.

"The university has not learned of any reports of identity theft in the time since the hard drive’s disappearance, Lambert said."

What a BS statement.

New Admissions office Powepoint slide...

Hey boys and girls.....Come to Georgetown.......you can get held up at gunpoint or have your identity stolen all in the same day.

Not to worry, no one wants your Louis Handbags, Uggs or Burberry scarfs. They want your cash and SSN.

Georgetown has indeed become a joke...

As an alum of one of the affected grad schools, I don't even understand why the university continued to store my SSN years after I graduated. Perhaps it goes without saying, but if the university did not retain information like this, they wouldn't have to worry about someone stealing it.

1/25 DPS Blotter includes this item:

Thursday, Jan. 17
Fraud, Off Campus, 5:46 p.m.
The complainant filed a report of fraud/identity theft after receiving notice of an account that had been opened in the complainant’s name without authorization. The Metropolitan Police Department was notified. No suspects have been identified. (http://www.thehoya.com/node/15129)

...so I guess we all have this look forward to in the coming days/weeks/whatever. Maybe it's unconnected, but maybe not. Either way, this is just egregious conduct on the part of the university. I can't wait to get out of Georgetown.

How about we let these peons who handle our sensitive data take some of the information security classes offered at our university. I guarantee if they sat through one day of one security class this issue would be nonexistent. Get educated, wtf.

I'm an alumnus who received an email from the university regarding my stolen SSN. They've offered free credit monitoring service, but no explanation as to who to contact with questions or what I should do in the event that my information is used unlawfully. They've set up a hotline, but haven't indicated what it's for. They've set up "information sessions" but don't describe as to how they will keep us updated. As someone who is no longer part of the campus community, I'm not reassured in the least by this email. What's Todd Olson's number?

The harddrive was taken on January 3 and they are just telling us about this NOW?

I am an alumni that apparently is included in the list of people whose numbers have been stolen. I am really upset about this. This is completely unacceptable. I know that the MPD and the Campus Police are jokes, but until and unless they find who did this and get my information back, I will not donate another dime to the school (I have previously donated over $25000)

I have just called the Office of Advancement to rescind my ongoing giving commitment. Their number is 202.687.1789.

john degioia should have every cent that people lose from this horrible lapse of judgment (who the hell stores this kind of sensitive data on an unencrypted external hard drive??)deducted from his massive paycheck. to the georgetown administration--shame on you, for this and your string of other failures.

Of course this is unfortunate, but I have a different perspective overall. I actually think they are being timely about this...it takes a long time to crosscheck the identities of the stolen SSNs with SSNs that exist on university databases. How could they have ascertained identities otherwise?

SSN still drives data storage for large personnel/student databases all over the country. Georgetown is very proactive in trying to change this state of affairs. I wonder how many of the comments on this site reflect any real knowledge of university data storage policy? It's easy to be angry, especially if you're on the list (as I am). It's harder to understand and reflect.

Knowledge of how a university's student database works is completely irrelevant to the issue at hand. Georgetown's inept information management practices have exposed 38,000 current students and alumni to identity theft. What kind of reaction should we have -- a blase sense that all of this, too, shall pass?

California law requires institutions that have data breaches to report the fact that personal information has been compromised to those affected. Because more than a few of the 38,000 people affected by this breach likely live in California, Georgetown is simply complying with the law. It's hardly an act of courage.

I am so bitterly disappointed in Georgetown. I serve on the board of an alumni club, interview students for admission as part of GAAP, and actively donate to the university. And this is how I get repaid.

The theft of a hard drive reveals nothing about how seriously the unversity takes data security. Data is protected by human beings who make mistakes; it's also stolen by thieves. I feel they are doing as much as they can do, and I certainly don't think this represents some sort of callous, secret disregard for current/former students, staff or faculty on the part of the admin.

Several key questions emerge from this story:

1) Why is THE HOYA reporting it, and not the University to its students in a mass e-mail? In terms of full disclosure of a breach of this magnitude, it's the University's obligation to advise its students that their personal information is at risk, not the job of student media. The HOYA should be commended for advising us of this event.

2) Why did nearly a month pass until this was report, potentially giving a thief adequate time to disseminate our information? And why was this information so blatently unsecured--UIS should have had it secured in a better way, not out in the open as it was.

This is quite disappointing.

The story notes that UIS wasn't the source of the breach, but a laptop in Student Affairs that logged into the overall network.

As UIS has overall authority on university computing, they should have had measures in place to prevent unauthorized removal of secure data. Such could have been done by restricting the use of removable media (ie external hard drives, thumb drives) and the like and having the data stored electronically, that is, accessible via a server, and not in its tangible form as was the case on the external hard drive.

Reveals nothing?! I do believe it said in the article that the data was not encrypted, nor did they even know if it was password protected! I am sorry, but I would like to think that our University cares enough about our privacy and security to encrypt this hard drive - or at least know whether or not the information is password protected... These security breaches happen way too often - laptops or hard drives with confidential information get stolen, with little to no protection on the actual machine - you would think that Georgetown could learn from others' past mistakes. Poor form, G-town.

It seems like this is written by a GU employee, especially since the language mirrors what was said in the email to students...

Pop Quiz:

WHY do we still use Social Security numbers as our Student ID numbers?

A-Ignorance
B-Laziness
C-Stupidity
D-All of the above

There are "best practices" standards for data management and protection. Not using them (which is obvious in this case) is negligent and inexcusable.

I encourage everyone to call Todd Olson, Director of Student Affairs, at 202-687-4056. Ask why his offices' business manager, Lynne Hirshfeld, kept an unencrypted external hard drive in her office, lying around for anyone who knows how to pick a lock or who has a master key to steal.

All alumni, faculty and staff should be outraged by Georgetown's incredibly poor security. How many of us keep the deeds to our home or stock certificates in safe-deposit boxes? Why can't Georgetown do the same thing, you know, with stuff like FORTY THOUSAND Social Security Numbers, names, and addresses.

Because Georgetown is a joke.

Todd Olson's email: tao4@georgetown.edu
Lynne Hirshfeld: hirschfl@georgetown.edu

This was not written by a GU employee, but was rather compiled after interviews and source checks. To The Hoya: Keep up the good work!

The comment about being written by a GU employee was related to the prior comment, not the article.

For those of you who haven't got the email yet
...enjoy:

January 28, 2008

Dear Current or Former Students, Faculty and Staff:

We are writing to inform you that you are among a group of individuals
whose personally identifiable information such as name and social
security number may have been exposed due to a recent computer theft
on campus. We regret this incident and wanted to alert you via email
as soon as possible after completing our investigation of the nature
and scope of the data at issue. Recognizing the seriousness of this
incident and the concern we share for the personal security of those
within our community, we are making arrangements to provide free
credit monitoring services for you. In the coming days you can expect
to receive a hard copy mailing with instructions on how to take
advantage of this service.

On January 3, 2008 an external computer hard drive was reported stolen
from a locked office within the Office of Student Affairs in the
Leavey Center on the Main Campus. Georgetown’s Department of Public
Safety responded to scene and continues to cooperate with an ongoing
investigation by the District of Columbia Metropolitan Police
Department. In addition, we have informed the U.S. Secret Service
about this incident so that they may follow up as they determine
appropriate.

A thorough internal investigation of the data that was contained on
the hard drive has now determined that the hard drive included
personally identifiable information for students enrolled and some
faculty and staff from 1998 through 2006. Since the files related to
a range of cross-campus student financial transactions processed
through the Office of Student Affairs, it pertained to students
enrolled at the Main, Medical and Law Center campuses. No financial
information, such as bank account or credit card numbers, was
contained in the hard drive. This incident is limited to this one
hard drive and does not extend to other University systems and
services where personal data may be stored or updated.

At this time Georgetown has no evidence that your personal data have
been misused. However, as a precaution, we are notifying you of this
situation and encouraging you to place a fraud alert on your credit
reporting accounts. You can find instructions for notifying credit
bureaus, utilizing the free credit monitoring service (as soon as it’s
available) and other information online at identity.georgetown.edu.
We have also established a toll free hotline (1-866-740-2458) which
will be operational as of 9:00am EST tomorrow morning. In addition,
if you are on or near the Main Campus, you may attend an information
session on Wednesday, January 30 at 2:00pm in the ICC Auditorium where
we will be able to respond to any questions in person. A separate
information session will also be held on the Law Center campus on
Thursday, January 31 at 4:00pm in McDonough Hall Room 203.

Although in this particular instance the data breach was the result of
a computer theft and not any kind of system intrusion, it is an
unfortunate example of the increasing importance of data security to
all of us. We deeply regret any incident that potentially exposes the
sensitive data of members of our community.

Georgetown recognizes the potential vulnerability of this kind of
information and consistently has taken steps to protect data across
University systems. For example, Georgetown has been actively
reducing the use of social security numbers in its data storage.
Individuals are now assigned a GoCard numbers and NetIDs to be used as
unique identifiers instead of social security numbers. We are also
taking other steps to implement enhanced security procedures across
campuses and continue to identify and incorporate emerging best
practices in data protection and security.

You may also take steps individually to protect sensitive data. Some
suggestions for doing so can be found at our Office of Information
Security website at security.georgetown.edu as well as online
resources from the Privacy Rights Clearinghouse at http://www.privacyrights.org/identity.htm
and the federal government’s identity theft website at http://www.ftc.gov/bcp/edu/microsites/idtheft/
.

Please accept our sincere apologies for this incident. Thank you for
your cooperation and understanding.

Sincerely,

H. David Lambert Todd Olson
Vice President and Chief Vice President for Student Affairs
Information Officer

Something tells me if Jessie Sapp were running the University instead of hitting game winning three pointers nonsense like this wouldn't be happening.

Todd Olson: tao4@georgetown.edu
Lynne Hirshfeld: hirschfl@georgetown.edu

I encourage everyone to call Todd Olson, Director of Student Affairs, at 202-687-4056, or email him. Ask why his offices' business manager, Lynne Hirshfeld, kept an unencrypted external hard drive in her office, lying around for anyone who knows how to pick a lock or who has a master key to steal.

All alumni, faculty and staff should be outraged by Georgetown's incredibly poor security. How many of us keep the deeds to our home or stock certificates in safe-deposit boxes? Why can't Georgetown do the same thing, you know, with stuff like FORTY THOUSAND Social Security Numbers, names, and addresses.

Where's that computer? Someone call Jessica Fletcher, Nancy Drew and the Hardy Boys, stat!!!

According to the Hotline, the University has no plan to offer "free credit monitoring."

PLEASE DIGG! SPREAD THIS DISGRACE SO GEORGETOWN TAKES ACTION!

http://digg.com/world_news/38_000_Social_Security_Numbers_Potentially_Ex...

I just called the hotline too and they had no idea what was going on. They asked me if I wanted them to mail me more information. I politely declined once I realized they could not help. I also asked if they were located on campus and they are not. The woman said they are located in Winston-Salem. Doesn't seem too helpful...

Some info (including something about a free credit monitoring service) is up here - http://www1.georgetown.edu/uis/security/identity/faqs/45053.html

I am one of the affected parties of this security breach. I cannot, like many of the other commentators on here, understand why my personal data, which is several years old, was sitting on a hard drive in someone's office who is completely unrelated to my time at Georgetown. What information about me was listed among the "enormous amount of detailed information," as David Lambert put it? What kind of records is the university keeping about graduates? Are other databases, particularly those kept by the registrar and alumni affairs, safe? Will the university review its policies and take the time to teach non-UIS employees how to store personal data? I think the university should be as transparent as possible and that The Hoya should continue asking these questions as a public service to the community.

Seems sort of ridiculous that the University has known about this since January 3 and still hasn't been able to reach an agreement with Equifax on free credit monitoring services.

Why isn't Lynne Hirschfield being fired for this? According to the University website (http://security.georgetown.edu/faculty/15140.html) she is required to encrypt the information that she left vulnerable.

Ms. Hirschfield did not even sign the apology email.

We're all overlooking one critical fact of this issue--Lynne Hirschfeld left the drive on December 21, when the University offices closed for the Holiday break for some 10 days. This is the height of negligence--it's almost as if Hirschfeld was asking for the drive to be taken during the vacation. It's like your house--when you go on vacation, you remove valuables. Except in this case, its 38,000 peoples' valuable information. Well done, Lynn. You deserve a pat on the back for your caution and thoroughness in guarding proprietary information.

It's great that you have taken a broad view of this. I too don't think this shows any ill will on the part of the University.

What it reveals is an arrogance along the lines of "our systems are adequate and these things won't happen to us." The fact, as laid out in the Hoya, are disturbing. Several of the typcial precautions to protect student and alum identies have been put in place. It shouldn't take "several years" to outlaw external hard drives or to eliminate SSNs as the primary ID (having worked in a small college, I know that this takes some work, but it isn't rocket science), or to limit access to databases on an as needed basis.

This is a rather dumb record retention policy - have the "backup" drive a few feet from the computer it is backing up. Shouldn't the computer be backed up to a central drive or mainframe that the computer folks control, instead of a random external harddrive that is under a stack of papers for all we know.

This whole episode sounds like the beginning of a new "Bad Idea Jeans" commercial.

Before calling on someone to resign or to be fired, perhaps we should get all the facts. This article in The Hoya, far from being a full exposition of the facts of the case, seems just to be a cursory explanation.

Just read the letter from the university that was just sent out -- someone below recently posted it. All information in The Hoya's article is correct and seems to be, unfortunately, the full story.