Two Georgetown University student organizations are increasing security measures to protect against cyberattacks, according to senior leadership of the Georgetown University Alumni and Student Federal Credit Union and Students of Georgetown, Inc.

The Corp is currently formalizing password guidelines and implementing a company-wide password policy for Corp-specific online accounts. Meanwhile, GUASFCU executives plan to migrate on-site servers to a cloud platform to increase security and reliability.

The Corp’s increased scrutiny of employee passwords comes after a breach last month allowed a still-unidentified hacker to send a sexually explicit email to all Corp staff. The Corp is continuing to investigate the email, CEO Melina Hsiao (COL ’18) said.

Last month’s incident is not The Corp’s first experience with hacking. In February 2016, the company was forced to close all of its storefronts for two hours after a hack of its servers.

The switch to cloud-based system at GUASFCU comes as prominent organizations and government agencies, including the Central Intelligence Agency, are increasingly adopting the technology to prevent breaches in cybersecurity.

Cloud platforms are considered more secure by some IT professionals, because a company’s data is stored off-site at data centers that often have stronger security defenses than traditional data systems. Continuant, a global managed service provider, predicts 90 percent of businesses will be using a form of cloud platforms by 2018.

GUASFCU Chief Technology Officer Nick Matz (COL ’18) said cybersecurity is among the credit union’s top priorities this year.

“Cybersecurity is of the utmost importance to the Credit Union,” Matz wrote in an email to The Hoya. “We have made significant improvements to our network this year. We continue to invest in information technology with our own funding, and with additional funding from the National Credit Union Administration,” a federal agency that regulates federal credit unions.

University Information Services have not been contacted by The Corp to help with their internal hack investigation, according to UIS Chief Information Security Officer Joseph Lee. However, since The Corp maintains a company email system separate from the university, UIS would not be able to provide substantive aid in a hacking investigation.

The Corp has taken further steps to strengthen their cybersecurity. This fall, the student-run company switched payment processing systems from Square to Clover. Bank of America Merchant Services partners with Clover, making it a more secure point of sale system than Square,
according to Hsiao.

The university required both organizations to increase the security of their payment processing services this summer by installing separate internet networks to handle financial transactions. The new networks bring the two organizations into compliance with mandated credit card industry standards. Both GUASFCU and The Corp previously used the university’s internet network to process financial transactions.

The shift to dedicated networks was necessary because the university’s Wi-Fi is not designed with vendor’s needs in mind, Lee said.

“Our first obligation for network access is not to third-party vendors and businesses that have to be running all day,” Lee said. “It is primarily for the students, primarily for the faculty and primarily for teaching, learning and also research.”

UIS had been aware for years that student businesses were using the university’s Wi-Fi to process transactions; they began working with on-campus vendors two years ago to establish a separate network for financial transactions. This summer, UIS assisted The Corp and GUASFCU in contracting an internet service provider for their new networks.

However, Hsiao said that processing payments over the university’s internet network did not pose a security risk or put Corp customers’ data at risk.

“The only violation was that we were using the university’s network,” Hsiao said. “It wasn’t that the university’s network wasn’t safe enough.”
Though GuestNet is not unsecure, it was never intended to be a secure network for businesses but rather a convenience for guests visiting campus, Lee said.

“From a business standpoint, there’s a lot of rules you have to follow in terms of what your IT needs to look like and what your network needs to look like,” Lee said. “We don’t say that GuestNet, for example, will meet those needs. It’s good for personal use but for business needs, that’s a completely different thing.”

Despite the successful implementation of GUASFCU’s new network, Matz expressed worry that his organization would not be able to rely on UIS for network assistance as in the past.

“In our contract with [UIS] before, they did have a lot of things that they would help us with,” Matz said. “And now that they’re not our internet service provider, I’m worried that they’re not going to be as willing to help us with those things.”

Despite those concerns, UIS’s advisory relationship with student organizations will remain what it has always been, Lee said.

Hsiao said she is not concerned about The Corp’s continuing relationship with UIS.

“UIS has been really great to work with and there’s definitely been no negative impact on our relationship,” Hsiao said. “I think, if anything, it strengthened it.”