http://www.georgetownvoice.com/2008-02-07/voices/once-more-into-the-security-breach
By Tim Fernholz
The Georgetown Voice
February 7, 2008
Like a whole bunch of Georgetown students and alums, I woke up last week
to an unpleasant e-mail from Georgetown: my name and Social Security
number may have been exposed after a University hard drive was stolen.
More exasperated than angrybetween Facebook, buying things on the
internet and the U.S. governments tendency to lose private information,
my privacy is nil anywayI had an advantage that most students didnt: a
pre-arranged chat with Vice President of Safety and Security, Rocco
DelMonaco, Jr., scheduled for later that afternoon.
DelMonaco has just finished his first term here at Georgetown, and I
hoped to hear what he had learned from a semester of overseeing public
safety on campus. His comment that more education was the key to
preventing muggings came under criticism from this paper back in
September. Indeed, this falls sensational early evening robbery at
gunpoint just outside the Walsh building suggested that more focus on
DPS training and patrols may be the answer to our security problems.
But DelMonaco, a compact, nattily dressed man whose second floor Gervase
office sports a full humidor and a commemorative ROCCO license plate
from Ronald Reagans second inaugural, seems unflappable. It was a tough
fall for the new VP; in addition to the usual series of burglaries,
muggings and fights, a bias-related assault shocked the campus early in
the year. Despite a really good job by the University of preparing him
for the ebb and flow of Georgetowns security situation particularly the
spike of illegal activity around school breaksDelMonaco shook his head
ruefully. Now that Ive lived it, it gives me a better idea of how to
redeploy our personnel, to use other tactics and techniques, he said.
His biggest surprise? Students tendency to leave their doors unlocked
and to tamper with outside security doors. Indeed, despite maintenance
failures, particularly in Henle Village, many burglaries on campus are
connected to students who left their doors unlocked, and no one can deny
that circumventing Georgetowns security systems is a Saturday night
tradition. All of which leads DelMonaco to plead, If it is a security
device, keep it whole.
Maybe DelMonaco is just getting his sea legs, so to speak, here at
Georgetown. (Hes certainly got the Catholic part down; he made it to 8
a.m. Mass on Ash Wednesday). But what about the issue of the daythe
38,000 missing Social Security numbers belonging to students who
attended Georgetown as far back as 1998, including some 7,700 current
students? While information security doesnt necessarily fall under
DelMonacos umbrellathats the problem of David Lambert, the Universitys
Chief Information Officer, whose policy of encrypting personal data was
not followedthis was an out-and-out theft.
While details about the investigation are still sketchy, what we do know
is this: sometime over winter break, someone got to the fifth floor of
Leaveywhich requires a key outside normal business hoursand entered a
locked office, taking only the hard drive that contained the missing
information. There were no signs of forced entry, according to the
Metropolitan Police Departments report. The only item reported as stolen
was the hard drive. This leads to some interesting questions; the first
being, could the crime have been committed by someone at the University?
[The investigators] have no assumptions at all, DelMonaco said. When you
assume, you block out other possibilities.
But it appears that the University, and DelMonaco, still havent learned
the lesson of this falls hate crime, which wasnt publicly announced
until weeks after it occurred: no matter how embarrassing public
knowledge of an incident might be, transparency must be the first step.
Though DelMonaco told me that he has already personally installed the
transparency recommendations made by a University working group formed
in the wake of this falls public relations debacle, the University chose
to sit on news of the robbery for three weeks, despite announcing it
privately to the Alumni Board of Governors.
Those three weeks could have been critical, according to Linda Poley,
founder of the Identity Theft Resource Center, who said that wide
publicity is key to preventing identity theft. If thieves know their
potential victims are aware of the danger they are in, they may wait to
use the information, giving breach victims time to initiate fraud alerts
and other protective steps. Poley recommended that those whose
information was compromised keep fraud alerts active for at least a
year.
You can never assume that youre safe, Poley said. These thieves may
warehouse the information if they got hold of the information. They may
not know they have the information. This has been a very well-publicized
breach. These thieves are not stupid, if they do intend to use it, they
are going to sit on it.
The University got lucky this time; thus far, no one who lost data has
reported an incidence of identity theft. And in past incidences of data
exposure at universities, relatively few identity crimes have come to
light. But how many times will Georgetown get away with a lack of
transparency surrounding an illegal act? DelMonaco has made community
policing a key rhetorical theme of his still-short tenure; in the future
he should make it a point to inform the community of what is happening
on campus.
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments