The questions Georgetown still hasn’t answered about the data leak

Georgetown has still not answered many questions about the recent leak of student, alumni, and applicant data.

For 12 hours from Oct. 16 to Oct. 17, confidential information regarding students and applicants to Georgetown since 1990 was leaked and widely accessible via Ellucian, Georgetown’s data management system. This information included social security numbers, GPAs, financial aid information, disability, and immigration status.

According to a university wide email on Oct. 17, the leak was not due to “external attack or security compromise” of Georgetown’s data management system, but instead caused by “an inadvertent setting change” that allowed users with GU IDs to access the data.

Here are the questions the Voice has asked Georgetown it has not answered:

1. How, and when, did the university become aware of the breach?
2. Why was the page open for almost 12 hours? Did UIS have difficulty fixing the problem
3. Was the problem ultimately fixed by UIS or Banner/Ellucian?
4. Has the administration consulted with cybersecurity experts within or outside the university to assess the situation?
5. Was the computer science department (or faculty in the department) consulted about the leak?
6. What exactly went wrong with the Ellucian Banner system that caused the data leak?
7. What exact information was viewable? For example, did the financial aid information include full copies of students’ FAFSA and CSS profiles, thus also exposing sensitive information like the SSN and ITIN of their parents?
8. Were parents notified about the data breach?
9. What action is Georgetown planning to take to protect the students who have been impacted by this leak
10. What guidance will the university be providing to current and former students about preventing misuse of their data?
11. How many profiles were accessed?
12. How did the university identify the 29 individuals who accessed profiles during the breach?
13. Will the university be pursuing legal or student conduct action against these 29 individuals?
14. The Voice is aware that the 29 people who accessed the data set were sent emails asking about how they used or stored the data. Have all 29 people responded? Is there any indication that anyone has stored or otherwise distributed the data?
15. How does the university intend to make sure these individuals did not save any information found during the breach?
16. Will UIS or Ellucian be issuing an apology to impacted students?