38,000 Social Security Numbers Potentially Exposed After Theft

January 29, 2008

By Michele Hong


A hard drive containing the Social Security numbers of nearly 40,000 Georgetown students, alumni, faculty and staff was reported stolen from the office of Student Affairs on Jan. 3, potentially exposing thousands of students to identity theft.

The external hard drive, located on the fifth floor of the Leavey Center, was used to back up a computer that contained billing information for various student services, including activities fees and student health insurance, according to David Lambert, vice president and chief information officer for University Information Services.

The university notified the Department of Public Safety, the Metropolitan Police Department and the U.S. Secret Service, which investigates possible misuse of private information, of the missing hard drive. The university has not learned of any reports of identity theft in the time since the hard drive's disappearance, Lambert said.

The hard drive was not encrypted, meaning that information on the drive can be obtained by unauthorized parties, Lambert said. He was unsure if the hard drive was password-protected.

The files include all undergraduate students enrolled from 1998 through the middle of 2006. They also include postgraduates enrolled during that period who were assessed financial transactions that crossed between the main, Medical and Law campuses, such as student health insurance. Of the approximately 14,000 students currently at the university, roughly 7,700 - around 55 percent - had their private information on the missing hard drive, Lambert said.

In addition to current students, about 25,000 alumni also had information stored on the hard drive. Lambert said that the hard drive may also have included former students who are now employed by Georgetown. All told, the hard drive contained the information of approximately 38,000 people.

Vice President for Student Affairs Todd Olson said that no other health information besides billing information for student health insurance and records of student health insurance waivers was exposed.

According to the MPD incident report, Lynne Hirschfeld, the senior business manager for student affairs, notified MPD and DPS that the hard drive was missing when she returned to her office from winter break. The hard drive had been located in Hirschfeld's office, which had been left locked, the report said. The theft had taken place sometime after Dec. 21.

University Information Security then examined the desktop backed up by the missing hard drive to determine the nature and magnitude of the information exposed. Lambert said that the university did not release news of the theft earlier because of the time needed to ascertain that information.

"That system contained an enormous amount of detailed information, all of which had to be reviewed in an attempt to determine what kind of information might have been on there," he said. "That process is very staff-heavy and takes a significant amount of time."

No suspects had been identified as of yesterday. "An enormous amount of information was exposed," Lambert said. "It would certainly be extraordinarily advantageous to be able to retrieve the hard drive."

According to the MPD report, the hard drive was valued at $100. Lambert and Olson said that they were unsure whether the hard drive had been taken for monetary reasons.

Lambert said that within the next few days, the university will begin notifying every person whose private information may have been exposed with a letter explaining the incident. The letter will also advise the recipients to protect their credit information and to call a toll-free hotline set up by the university to confirm if their Social Security numbers were released and discuss what further actions they can take to protect their identities. In addition to the hotline, the university will be holding campus information sessions to answer individual questions.

In March 2006, an attack on a university server potentially exposed the names, birthdates and Social Security numbers of approximately 41,000 elderly area residents kept for research purposes. At the time, the university took similar measures, such as letters and a hotline, to alert and help the individuals involved. Erik Smulson, the university spokesperson at the time, said that no student financial or medical records were accessible from the server.

Lambert said that UIS has been developing an information security program throughout the past few years to protect confidential data stored on computers at the university. He added that UIS eventually plans to .remove legally protected information in instances it.s not necessary. on individual desktop computers, but he declined to discuss the precautions in detail.

In addition, since 1999, the university has been assigning individuals GOCard numbers and NetIDs to be used as identifiers to reduce the use of Social Security numbers in data storage.

"Although in this particular instance, the data breach was the result of a computer theft and not any kind of human error or system intrusion, it is an unfortunate example of the increasing importance of data security to all of us," the letter to be sent by the university says.

main page ATTRITION feedback