http://www.georgetownvoice.com/2008-02-07/voices/once-more-into-the-security-breach By Tim Fernholz The Georgetown Voice February 7, 2008 Like a whole bunch of Georgetown students and alums, I woke up last week to an unpleasant e-mail from Georgetown: my name and Social Security number may have been exposed after a University hard drive was stolen. More exasperated than angrybetween Facebook, buying things on the internet and the U.S. governments tendency to lose private information, my privacy is nil anywayI had an advantage that most students didnt: a pre-arranged chat with Vice President of Safety and Security, Rocco DelMonaco, Jr., scheduled for later that afternoon. DelMonaco has just finished his first term here at Georgetown, and I hoped to hear what he had learned from a semester of overseeing public safety on campus. His comment that more education was the key to preventing muggings came under criticism from this paper back in September. Indeed, this falls sensational early evening robbery at gunpoint just outside the Walsh building suggested that more focus on DPS training and patrols may be the answer to our security problems. But DelMonaco, a compact, nattily dressed man whose second floor Gervase office sports a full humidor and a commemorative ROCCO license plate from Ronald Reagans second inaugural, seems unflappable. It was a tough fall for the new VP; in addition to the usual series of burglaries, muggings and fights, a bias-related assault shocked the campus early in the year. Despite a really good job by the University of preparing him for the ebb and flow of Georgetowns security situation particularly the spike of illegal activity around school breaksDelMonaco shook his head ruefully. Now that Ive lived it, it gives me a better idea of how to redeploy our personnel, to use other tactics and techniques, he said. His biggest surprise? Students tendency to leave their doors unlocked and to tamper with outside security doors. Indeed, despite maintenance failures, particularly in Henle Village, many burglaries on campus are connected to students who left their doors unlocked, and no one can deny that circumventing Georgetowns security systems is a Saturday night tradition. All of which leads DelMonaco to plead, If it is a security device, keep it whole. Maybe DelMonaco is just getting his sea legs, so to speak, here at Georgetown. (Hes certainly got the Catholic part down; he made it to 8 a.m. Mass on Ash Wednesday). But what about the issue of the daythe 38,000 missing Social Security numbers belonging to students who attended Georgetown as far back as 1998, including some 7,700 current students? While information security doesnt necessarily fall under DelMonacos umbrellathats the problem of David Lambert, the Universitys Chief Information Officer, whose policy of encrypting personal data was not followedthis was an out-and-out theft. While details about the investigation are still sketchy, what we do know is this: sometime over winter break, someone got to the fifth floor of Leaveywhich requires a key outside normal business hoursand entered a locked office, taking only the hard drive that contained the missing information. There were no signs of forced entry, according to the Metropolitan Police Departments report. The only item reported as stolen was the hard drive. This leads to some interesting questions; the first being, could the crime have been committed by someone at the University? [The investigators] have no assumptions at all, DelMonaco said. When you assume, you block out other possibilities. But it appears that the University, and DelMonaco, still havent learned the lesson of this falls hate crime, which wasnt publicly announced until weeks after it occurred: no matter how embarrassing public knowledge of an incident might be, transparency must be the first step. Though DelMonaco told me that he has already personally installed the transparency recommendations made by a University working group formed in the wake of this falls public relations debacle, the University chose to sit on news of the robbery for three weeks, despite announcing it privately to the Alumni Board of Governors. Those three weeks could have been critical, according to Linda Poley, founder of the Identity Theft Resource Center, who said that wide publicity is key to preventing identity theft. If thieves know their potential victims are aware of the danger they are in, they may wait to use the information, giving breach victims time to initiate fraud alerts and other protective steps. Poley recommended that those whose information was compromised keep fraud alerts active for at least a year. You can never assume that youre safe, Poley said. These thieves may warehouse the information if they got hold of the information. They may not know they have the information. This has been a very well-publicized breach. These thieves are not stupid, if they do intend to use it, they are going to sit on it. The University got lucky this time; thus far, no one who lost data has reported an incidence of identity theft. And in past incidences of data exposure at universities, relatively few identity crimes have come to light. But how many times will Georgetown get away with a lack of transparency surrounding an illegal act? DelMonaco has made community policing a key rhetorical theme of his still-short tenure; in the future he should make it a point to inform the community of what is happening on campus. ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Feb 07 2008 - 02:50:46 PST