Photos from Flickr
Follow me on TwitterMy Tweets
Once more into the security breach
Like a whole bunch of Georgetown students and alums, I woke up last week to an unpleasant e-mail from Georgetown: my name and Social Security number “may have been exposed” after a University hard drive was stolen. More exasperated than angry—between Facebook, buying things on the internet and the U.S. government’s tendency to lose private information, my privacy is nil anyway—I had an advantage that most students didn’t: a pre-arranged chat with Vice President of Safety and Security, Rocco DelMonaco, Jr., scheduled for later that afternoon.
DelMonaco has just finished his first term here at Georgetown, and I hoped to hear what he had learned from a semester of overseeing public safety on campus. His comment that “more education” was the key to preventing muggings came under criticism from this paper back in September. Indeed, this fall’s sensational early evening robbery at gunpoint just outside the Walsh building suggested that more focus on DPS training and patrols may be the answer to our security problems.
But DelMonaco, a compact, nattily dressed man whose second floor Gervase office sports a full humidor and a commemorative “ROCCO” license plate from Ronald Reagan’s second inaugural, seems unflappable. It was a tough fall for the new VP; in addition to the usual series of burglaries, muggings and fights, a bias-related assault shocked the campus early in the year. Despite a “really good job” by the University of preparing him for the “ebb and flow” of Georgetown’s security situation—particularly the spike of illegal activity around school breaks—DelMonaco shook his head ruefully. “Now that I’ve lived it, it gives me a better idea of how to redeploy … our personnel, to use other tactics and techniques,” he said.
His biggest surprise? Students’ tendency to leave their doors unlocked and to tamper with outside security doors. Indeed, despite maintenance failures, particularly in Henle Village, many burglaries on campus are connected to students who left their doors unlocked, and no one can deny that circumventing Georgetown’s security systems is a Saturday night tradition. All of which leads DelMonaco to plead, “If it is a security device, keep it whole.”
Maybe DelMonaco is just getting his sea legs, so to speak, here at Georgetown. (He’s certainly got the Catholic part down; he made it to 8 a.m. Mass on Ash Wednesday). But what about the issue of the day—the 38,000 missing Social Security numbers belonging to students who attended Georgetown as far back as 1998, including some 7,700 current students? While information security doesn’t necessarily fall under DelMonaco’s umbrella—that’s the problem of David Lambert, the University’s Chief Information Officer, whose policy of encrypting personal data was not followed—this was an out-and-out theft.
While details about the investigation are still sketchy, what we do know is this: sometime over winter break, someone got to the fifth floor of Leavey—which requires a key outside normal business hours—and entered a locked office, taking only the hard drive that contained the missing information. There were no signs of forced entry, according to the Metropolitan Police Department’s report. The only item reported as stolen was the hard drive. This leads to some interesting questions; the first being, could the crime have been committed by someone at the University?
“[The investigators] have no assumptions at all,” DelMonaco said. “When you assume, you block out other possibilities.”
But it appears that the University, and DelMonaco, still haven’t learned the lesson of this fall’s hate crime, which wasn’t publicly announced until weeks after it occurred: no matter how embarrassing public knowledge of an incident might be, transparency must be the first step. Though DelMonaco told me that he has already personally installed the transparency recommendations made by a University working group formed in the wake of this fall’s public relations debacle, the University chose to sit on news of the robbery for three weeks, despite announcing it privately to the Alumni Board of Governors.
Those three weeks could have been critical, according to Linda Poley, founder of the Identity Theft Resource Center, who said that wide publicity is key to preventing identity theft. If thieves know their potential victims are aware of the danger they are in, they may wait to use the information, giving breach victims time to initiate fraud alerts and other protective steps. Poley recommended that those whose information was compromised keep fraud alerts active for at least a year.
“You can never assume that you’re safe,” Poley said. “These thieves may warehouse the information—if they got hold of the information. They may not know they have the information. This has been a very well-publicized breach. These thieves are not stupid, if they do intend to use it, they are going to sit on it.”
The University got lucky this time; thus far, no one who lost data has reported an incidence of identity theft. And in past incidences of data exposure at universities, relatively few identity crimes have come to light. But how many times will Georgetown get away with a lack of transparency surrounding an illegal act? DelMonaco has made community policing a key rhetorical theme of his still-short tenure; in the future he should make it a point to inform the community of what is happening on campus.