Tuesday, March 14, 2006

Georgetown Hack May Have Exposed Personal Data

Georgetown Hack May Have Exposed Personal Data
News Story by Jaikumar Vijayan

MARCH 13, 2006 (COMPUTERWORLD) - Georgetown University in Washington has called in the U.S. Secret Service to investigate a server breach that may have exposed confidential information on more than 41,000 individuals.

The breach appears to have been caused by an external hacker and involved a server that managed information on services provided by the District of Columbia Office on Aging, according to a university statement. The breach may have exposed the names, dates of birth and Social Security numbers of people taking part in the agency's programs.

The server was managed by a university researcher under a grant from the Office on Aging.

The breach was discovered Feb. 12 during a routine check of school networks by Georgetown's information security office, said a university spokesman. The compromised server was immediately disconnected from the network, he said.

But because "it took some time to recognize the scope and nature of the exposure," the intrusion was not disclosed to the Office on Aging for almost two weeks, according to the spokesman. Law enforcement officials were then notified on Feb. 27, and the Secret Service took custody of the compromised server for forensic testing the next day.

There is no evidence that the compromised information has been misused, the spokesman said. He said the breach did not affect any of the university's core computer systems containing student financial and admission records.

Damage Control

Georgetown is now notifying people whose information may have been exposed in the incident, the spokesman said. But that task is complicated because the breached server contained records dating back to 1983 on people who may now be deceased.

The university has established a toll-free phone number and a Web site where people can get more information.

In a March 3 e-mail to students and workers, Georgetown CIO David Lambert said the university's security office plans to focus on "enhancing the security of confidential information contained on campus and departmental servers" during the spring and summer. He did not elaborate.

According to a university source familiar with the incident who requested anonymity, the server in question was under the control of an individual who wasn't technically qualified to be a systems administrator. "Because we're a university and fairly open, there are many computing fiefdoms," often run by individuals with grant money, the source said in an e-mail.