38,000 GU SSNs Potentially Exposed

[RockawayHoya]

And our university always wonders why alums don't donate more, or at all. This is just another reason why. Personally, they won't see a dime from me until a) they find out who did this, and b) make sure my info wasn't used improperly. If something happens to my credit profile or I become a victim of identity theft, Todd Olson and Co. better find a place to hide. I'll leave it at that.

*furiously tries to take preventative measures*

[hoyatables]

Jan 29, 2008 16:38:40 GMT -5 RockawayHoya said:

And our university always wonders why alums don't donate more, or at all. This is just another reason why. Personally, they won't see a dime from me until a) they find out who did this, and b) make sure my info wasn't used improperly. If something happens to my credit profile or I become a victim of identity theft, Todd Olson and Co. better find a place to hide. I'll leave it at that.

*furiously tries to take preventative measures*

Explain how this is tied to donations?

[JohnJacquesLayup]

Not to speak for Rockaway, but I believe he is expressing a lack of desire to donate money to an institution that does not take appropriate measures to protect your sensitive information. I received this email today, and to say the least, this is a horrible time for me to have this pop up. [Edit for spelling]

[HoyaSinceBirth]

I got the email this morning and at first i was Editeded but it does not seem to be as big a deal as they make it sound. The key is that " No financial information, such as bank account or credit card numbers, was contained in the hard drive." So, at worst they get a bunch of SSNs and the knowledge that you are a student at GU. That is not that significant. They would likely be more interested in the Faculty information. You should keep an eye on your account balance and read the stuff they send you, but nothing is likely to happen.

[strummer8526]

First of all, why did it take something like 26 days to tell us about this?!?!

Rockaway isn't the only person who I've heard say that this would impact donations. Common sense says you don't give money to an institution that is this poorly run...and not just poorly run, but poorly run AND THEN irresponsible about even telling us in a timely fashion. Anything that was likely to happen would have happened over 2 weeks ago. So we could all have been sitting on a big problem that has gone un-addressed b/c this institution doesn't feel the need to keep its students and alums in the loop on ANYTHING. (See: threats to commit serial killings in the ICC).

[JohnJacquesLayup]

Jan 29, 2008 17:10:44 GMT -5 HoyaSinceBirth said:

I got the email this morning and at first i was Editeded but it does not seem to be as big a deal as they make it sound. The key is that " No financial information, such as bank account or credit card numbers, was contained in the hard drive." So, at worst they get a bunch of SSNs and the knowledge that you are a student at GU. That is not that significant. They would likely be more interested in the Faculty information. You should keep an eye on your account balance and read the stuff they send you, but nothing is likely to happen.

Hmmmm. SSN, date of birth, and Name are a good start to opening credit accounts without your knowledge.

[HoyaLingus]

Miserable.

That's the only word for this.

If *anything* happens to anyone as a result of this, they should, to be perfectly American, sue the living daylights out of GU.

[RockawayHoya]

Jan 29, 2008 16:48:54 GMT -5 hoyatables said:

Jan 29, 2008 16:38:40 GMT -5 RockawayHoya said:

And our university always wonders why alums don't donate more, or at all. This is just another reason why. Personally, they won't see a dime from me until a) they find out who did this, and b) make sure my info wasn't used improperly. If something happens to my credit profile or I become a victim of identity theft, Todd Olson and Co. better find a place to hide. I'll leave it at that.

*furiously tries to take preventative measures*

Explain how this is tied to donations?

Strummer and HSB made good points to back me up that I would've made. I won't restate, but I'll take it a step further:

Personally, I received the e-mail, and after reading it, I didn't get the feeling that the University was being very sincere about doing all that they could to contact those affected or taking measures to rectify the situation. Allowing this to happen in the first place is inexcusable. Waiting nearly a month to tell me about it... wait a minute now, am I an alum of the university and part of the G'town family, or just some Joe Schmo who they send mail and call up asking for donations every few weeks because I happened to go to their school? Come on, a little bit of common decency here, please?

A lot of people give to the school because they like a certain direction the University is taking (see: JT3's extension), or would like to support a certain project that would be for the benefit of the school. I've got no argument there. I'd love to give money to G'town to see it become bigger and better. I'm proud I went here.

But when they do something that negatively impacts me, wait FOUR WEEKS to tell me about it, and try to dismiss it as something benign, I'm sorry, but that won't cut it. In the grand scheme of things, they probably won't miss my donation all that much. But 38,000 donations? I'm sure that would get their attention, which would be a fine change because obviously they aren't paying enough right now, as far as I'm concerned.

[HoyaSinceBirth]

Jan 29, 2008 17:18:49 GMT -5 JohnJacquesLayup said:

Jan 29, 2008 17:10:44 GMT -5 HoyaSinceBirth said:

I got the email this morning and at first i was Editeded but it does not seem to be as big a deal as they make it sound. The key is that " No financial information, such as bank account or credit card numbers, was contained in the hard drive." So, at worst they get a bunch of SSNs and the knowledge that you are a student at GU. That is not that significant. They would likely be more interested in the Faculty information. You should keep an eye on your account balance and read the stuff they send you, but nothing is likely to happen.

Hmmmm. SSN, date of birth, and Name are a good start to opening credit accounts without your knowledge.

They just have SSN and name they don't have our dates of birth. I think they need a little more info to actually do some damage, but i could be wrong.

[naijahoya]

It might also be a good idea to place a 'fraud alert' on your credit file just to be on the safe side. I just did.

www.experian.com/fraud/

www.experian.com/consumer/fraud_faqs.html

[hoyatables]

We don't know how long it took GU to figure out exactly what was on the hard drive that was stolen.

We also should be able to surmise that it takes at least a couple of days to figure out exactly how to respond and how to reach out and provide the necessary resources to your alumni body. (see, e.g. the help line and informational assembly)

I'd wager that for purposes of law enforcement and trying to catch the culprit, it was a wise idea to keep it quiet at first and see if the culprit could be easily IDed and nabbed. A premature broadcast email could have sent the culprit running, while an absence of anything might cause the culprit to relax and let down his or her guard.

Personally, I'd rather have a university that gives a deliberate, measured, and thought-out response to potential issues than one that just issues a knee-jerk statement without any answers as to what it means or how that knee-jerk statement might jeopardize attempts to actually catch the thief.

And finally, the delay is a little on the long side but I hardly think it is ridiculous -- especially without any proof that the delay actually resulted in harm.

When my identity is stolen I reserve the right to change my tune . But as an as-yet-unaffected "victim" I see no issue with the University's response to date.

[StPetersburgHoya (Inactive)]

I have to admit that I was at work when I got the e-mail and wasn't too upset about it. I did not notice the fact that they nearly waited a month before sharing that my personal information was exposed. Thanks for giving anyone who was taking my personal information a head start.

I completely agree with who ever said that if you actually have your identity stolen you should sue the University for all you can get. It takes FOREVER to get something on your credit report investigated and fixed and it can effect your ability to get a loan, a mortgage, or a credit card for the entire time its under investigation.

Oh and whoever is responsible for this should have already have their resignation drafted. It was nice of the school to set up a terrible hot line and meetings that no alumnus could possible attend. Looks like I'll just be giving to the Hoop Club for the foreseeable future.

[hoyaLS05]

I'm one of the ones who got the e-mail today, too. I had some fraudulent charges made on my credit card last week. I'm new to the world of identity theft: Is it possible for some savvy identity thief to ascertain credit card numbers though name, SSN and DOB?

[LizziebethHoya]

I'm more interested into why our SSNs were in the student affairs office anyway. As they have said, they have been going by GoCard# for awhile now. I would have assumed my SSN is in one file (Registrar, perhaps) and then everything linked to that file is my GoCard#. I obviously assumed wrong.

Also, one news station was interviewing students tonight who said some other desktops and electronic equipment had been stolen out of the 3rd floor of Leavey and the GUTV office. So, it could possibly just be an inside thief wanting to make some cash and not knowing what type of files are in there. But, who knows.

I do love that the info session is at 2pm tomorrow...when those on campus have class and alums off campus are working.

[hoyatables]

Good point about why Student Affairs had a computer with this info.

See, here's what bothers me about the comments here (as well as those made by friends): you all are focusing on the University's "delay" in notifying us. I don't see as much of a problem with that, particularly if either (1) no one actually suffered harm because of the delay and (2) the delay was for a good cause.

What bothers me is :
(1) why was this info on that particular computer. Why did that individual have a need for all of our SSN?
(2) why was that info not encrypted?

I agree that is inexcusable. I don't see the delay as a major problem in itself.

[strummer8526]

I guess the delay was just the one of the 10 or 12 things wrong about all of this that I happened to focus on. There's A LOT wrong here, and it says a lot about the way our current school/alma mater treats us.

My problem with the delay is that I don't personally believe that it WAS for a good cause. Why do I say that? Because a good cause would mean that the University had a well-thought-out strategy and some kind of understanding of the situation that called for a delay. If they had a well-thought-out ANYTHING, this wouldn't have happened at all. What kind of place stores 40,000 SSN's in one place w/ no encryption whatsoever? I think it's far more likely that the delay was motivated by a hope that no one would find out OR a general inability to organize a response any faster than 3 weeks.

As a student, I also didn't take special note of the meeting time, but that's another outrageous insult. A TON of GU alums are in DC. To have a meeting at 2pm that impacts alums is absurd.

I'm applying for a summer '08 job, and the DOJ is currently doing a background check on me. I really don't need anything at all showing up on my reports/records. I think someone at GU needs to be held VERY accountable for this, but unfortunately, no one will be, and we (as the most interested parties) will likely be left in the dark.

[JohnJacquesLayup]

Jan 29, 2008 17:54:46 GMT -5 HoyaSinceBirth said:

Jan 29, 2008 17:18:49 GMT -5 JohnJacquesLayup said:

Hmmmm. SSN, date of birth, and Name are a good start to opening credit accounts without your knowledge.

They just have SSN and name they don't have our dates of birth. I think they need a little more info to actually do some damage, but i could be wrong.

Check page one regarding the notice issued to law school students.

[Filo]

Jan 29, 2008 18:33:11 GMT -5 hoyaLS05 said:

I'm one of the ones who got the e-mail today, too. I had some fraudulent charges made on my credit card last week. I'm new to the world of identity theft: Is it possible for some savvy identity thief to ascertain credit card numbers though name, SSN and DOB?

I am not positive on this but you should assume the worst that yes, someone with your name and SSN (the letter did not indiicate that DOB was included) could somehow get that information (possibly by ordering a credit report themselves? -- can't recall offhand if a/c number are in the credit report).

I would be somewhat surprised, though, if the credit card fraud and this SSN theft are related - the more likely scenario is someone setting up new credit card accounts with a mailing address different from yours, so that you would not even know about the fraud unless you checked your credit report. However, I repeat the advice offered above -- anyone impacted should definitely be checking their credit reports on a frequent basis.

My wife and/or I have received similar letters from various entities 2 or 3 times over the years, and we haven't had any problems with identity theft. More often than not these types of incidents are crimes of opportunity that are committed by thieves who are not very sophisticated and don't really have an interest in identity theft. Small consolation, I am sure.

I would say more about the tenuous connection between donating to GU and a security lapse (however ridiculous the lapse is), but that's a side-note to explore at another time, and I can definitely understand the frustration and anger some of you are feeling.

[ExcitableBoy]

Jan 29, 2008 18:03:51 GMT -5 hoyatables said:

Personally, I'd rather have a university that gives a deliberate, measured, and thought-out response to potential issues than one that just issues a knee-jerk statement without any answers as to what it means or how that knee-jerk statement might jeopardize

I'm not overly peeved about the lag time in being notified... but I think you are giving Georgetown waaaaaayy too much credit here. Remember, this incident is the result of 38,000 SSNs--that's almost two full Verizon centers, mind you--being on an unencrypted hard drive that they "can't remember" if they password protected or not. Are you kidding me!?!?

If this was the first theft of its kind, that would be one thing. But it's not. It has happened everywhere and every company, organization, government agency, and university that handles this type of data needs to recognize that it can happen to them. Didn't GU learn anything about the risk of this type of data leak when 20,000+ names/SSNs were stolen less than two years ago??

[hoyaLS05]

www.washingtonpost.com/wp-dyn/content/article/2008/01/29/AR2008012902333.html