The U.S. Secret Service is investigating an attack on a university server that may have exposed personal information about 41,000 area residents, administrators announced earlier this month.
The server had been used by a researcher to track services offered by the D.C. Office on Aging since 1983 and contained information including the names, birthdates and Social Security numbers of elderly citizens who have used the office’s services.
University spokesman Erik Smulson said that the security breach was discovered during a routine inspection of the computer network on Feb. 13. He added that the compromised server has been shut down.
The university waited until Feb. 24, almost two weeks after the breach was first discovered, to notify DCOA and did not disclose the news to the public until March 3.
Smulson said that the university waited until it fully understood the nature and scope of the breach before informing DCOA. Vincent Morris, a spokesman for D.C. Mayor Anthony Williams, said that DCOA was not concerned by the delay.
The university turned the server over to the Secret Service for forensic analysis on Feb. 28. Jonathan Cherry, a spokesman for the Secret Service, said that the matter remained under investigation and declined to comment.
Georgetown set up a Web site and hotline for individuals who believed their information may have been accessed improperly. Smulson said that the university hopes to send letters to all 41,000 people who may have been victims of identity theft, but said that some may be deceased or have moved out of the area.
In a press release on March 3, the university recommended that individuals concerned that their information may have been exposed place fraud alert warnings on their credit reports.
Smulson said that about 300 people had contacted the university hotline by the end of last week, but that none had complained of identity theft. Morris said that the DCOA had not received any complaints.
Smulson also said that the server was separate from the university’s main computer files and that the attackers were not able to access students’ financial or medical records. He added that the university is complying with local and federal investigators.
“We’re constantly trying to stay ahead of these attackers,” he said.
The university declined to name the researcher responsible for maintaining the server, who Morris said was working with a grant from the DCOA that was renewed each year. Morris did not know if the security breach would affect the likelihood of the grant being renewed.
The information contained on the server was gathered from several area organizations, including senior centers and other groups that serve senior citizens.
In testimony before the D.C. City Council’s Committee on Human Services last year, DCOA Executive Director E. Veronica Pace called the Georgetown server “mission critical” to the DCOA, saying that it included “financial and executive support applications.”
In her testimony, Pace asked for funding for a separate server maintained by the D.C. government.
“The system knowledge is not well documented, which poses risks for catastrophic failure,” Pace said during her testimony.
The separate server was slated to go into effect this September. Darlene Nowlin, a spokesperson for the DCOA, declined to comment on how the server breach could affect the office’s ability to effectively track data.
