An external hard drive containing the Social Security numbers of 38,000 Georgetown University students, faculty, and staff was stolen from the university's Office of Student Affairs, according to The Hoya, the university's student newspaper.
The hard drive contained billing information for student services, and included data on 7,700 current students -- over half the current student body -- as well as information on alumni from 1998 to 2006 and many faculty members.
The hard drive, which turned up missing Jan. 3, was kept in the office of Lynn Hirschfield, senior business manager for student affairs, The Hoya said. It said the hard drive was not encrypted.
David Lambert, the university's vice-president and chief information officer for its Information Services department, said that he could not confirm if the drive had been password protected as well.
"An enormous amount of information was exposed," Lambert said. "It would certainly be extraordinarily advantageous to be able to retrieve the hard drive."
The university has begun notifying affected individuals by mail about the breach, and has set up a toll-free hotline to answer questions regarding the theft. According to a university press statement, there were no indications that the hard drive was stolen for financial reasons, or that the information had been used for fraud or identity theft.
"Georgetown is making every reasonable effort to notify all individuals whose personal information may have been exposed as a result of this theft and encouraging them to place a fraud alert on their credit reporting accounts," the university said. University officials also promised to offer free credit monitoring for all affected individuals.
Those efforts did not satisfy angry students and alumni, many of whom expressed frustration with the slow pace of the investigations and notification.
"This is absurd," wrote one commenter at the Hoya. "Someone needs to be accountable, and the university students and staff who could be compromised should have been notified. How appropriate is it that the student newspaper should be the one to tell all of these folks that their information could now be on the black market?"
ID Theft League
Universities are often targets of data breaches and thefts of personal information, due to problems ensuring information security and the large amounts of data students provide the university upon enrollment. Everywhere from job fairs to medical centers, students provide names, addresses, dates of birth, and Social Security numbers -- all the information identity thieves need to set up new accounts in the victim's name, or create new identities using bits and pieces of different victims' data.
College students also represent tempting targets for thieves and fraudsters, due to the mountains of solicitations for credit they receive upon enrollment, and their largely unblemished credit records.
Georgetown University's network server had previously been hacked in March 2006, leading to the theft of information on 40,000 elderly residents of the District of Columbia. The university had been hosting the data on behalf of the District's Office on Aging (DCOA).
Ohio University made headlines in recent years with a series of data breaches that affected hundreds of thousands of students, faculty, and alumni over a two-year period. An outside hack of a database at the University of California, Los Angeles (UCLA) exposed 800,000 students, faculty, employees, and retirees to identity theft in December 2006.