Between the hours of 8:00 a.m. on Wednesday, Oct. 16 and 8:30 a.m. on Thursday, Oct. 17, confidential information regarding students and applicants to Georgetown since 1990 was leaked and widely accessible via Ellucian, Georgetown’s data management system. This information included social security numbers, GPAs, financial aid information, disability and immigration status.
According to an email from Doug Little, Georgetown’s Chief Information Officer, the leak occurred after a scheduled maintenance period from 4:00 p.m. on Friday, October 11 to 8:00 a.m. on Wednesday, October 16. This maintenance was “part of ongoing efforts to modernize the Georgetown network environment.”
The leak was not due to an “external attack or security compromise” of Georgetown’s data management system, but instead caused by “an inadvertent setting change that allowed a subset of existing users with GU IDs to gain access to data that would otherwise only be used by administrative staff.” According to the according to an email sent to students by University Information Services.
According to Little, as of Thursday, “29 current or recent Georgetown students may have accessed the unauthorized information.”
All individuals who accessed the data have been asked to delete any data they may have saved, and warned that if they don’t, legal action may be taken, according to Little. According to Georgetown’s data handling policy, this information is classified as “high risk.”
“Using, sharing, or saving any of this data could violate University policy and have legal ramifications,” Little wrote.
Ellucian operates Banner, a software application used by higher education institutions, including Georgetown, to maintain student, alumni, and faculty information including financial data. Banner is used by over 2,900 worldwide institutions, including over 1,600 four year institutions, and over 1,400 institutions in the United States as of 2019. Ellucian has not yet responded to the Voice for comment.
High-profile individuals who have attended Georgetown since 1990 and thus may have had data leaked include King Felipe VI of Spain (SFS ’95), Crown Prince Pavlos of Greece (SFS ’93), Hunter Biden, who attended Georgetown Law School for one year in 1995, several members of the Jordanian royal family, and several members of the Trump family.
Little acknowledged the sensitivity of the information, and assured community members that they will investigate the cause of the data leak.
“We take data security and the privacy of our students very seriously. We recognize this is unsettling news and regret that this occurred,” Little wrote. “We will continue to investigate this data exposure and implement safeguards to prevent it from happening in the future. We will provide additional information as it becomes available.”
3:15 p.m. update: Alumni email sent
The Voice has obtained an email sent by Chief Information Officer Doug Little shared with Georgetown alumni similar to the email sent to current students.
The email notably clarified that unauthorized users did not access alumni or donor systems, though it is unclear whether “alumni data” simply includes current contact information, and if unauthorized users could access data categorized as “student data” for alumni including GPAs and information stored from when they were students.
“Please note that the information available to unauthorized users was limited to student data,” Little wrote. “No data from our alumni or donor systems was available or accessed by unauthorized users.”
This is an ongoing story and will be updated.
