Students of Georgetown, Inc.’s internal network of Google accounts was hacked on the night of March 21, leaving the student-run business commonly known as The Corp without access to internal documents, records and email communications for about a day.
The Metropolitan Police Department and the Georgetown University Police Department responded to the incident the following morning. MPD referred the incident to the financial and cyber crimes unit of the FBI, which is investigating the case, according to MPD and FBI spokespersons.
The Corp did not comment on any aspect of the law enforcement investigation or response.
The attack, confirmed to The Hoya by The Corp last week, underscores the vulnerability of campus organizations to malicious cyberattacks, particularly as clubs increasingly store internal data on digital platforms.
On the night of the attack, the yet-unidentified hacker or hackers accessed The Corp’s internal network of Google accounts, called a G Suite. The Corp uses the suite for email communication, as well as storage of important documents concerning daily operations including schedules, employee handbooks, policy documents and other materials, according to Alex Gong (SFS ’20), CEO of The Corp.
Soon after gaining access at about 8:30 p.m. on Wednesday, March 21, the hacker deleted the entire G Suite later that night, wiping out important data, files and all Corp employees’ Google accounts.
The Corp’s accounts and data were fully restored within a day of the hack, according to Gong. No files were altered or permanently lost, and no sensitive employee or customer data were compromised as a result of the incident, Gong said.
“Protecting that information will continue to be a priority for us moving forward,” Gong wrote in a statement to The Hoya.
Typically, G Suites that have been deleted cannot be recovered. Google technicians managed through an “unconventional process” to restore the suite, according to Ricardo Mondolfi (SFS ’19), the chair of The Corp’s board of directors. Before the G Suite was restored, the company’s senior leadership could not be certain whether their files would be recovered or whether The Corp’s storefronts would be able to operate without them.
A spokesperson for Google declined to comment, citing the confidentiality of customer service matters.
The cyberattack underscores the vulnerabilities of Georgetown’s other entirely student-run organizations, which may operate with lackluster cybersecurity protocols.
The Corp, which has its own in-house IT department, employs over 430 students and calls itself the largest student-run 501(c)3 nonprofit corporation in the world, has fallen victim to previous attacks on its digital platforms. Last September, an unidentified person used a Corp email account to send a sexually explicit email to all Corp staff. In February 2016, all The Corp’s storefronts were shuttered for about two hours after a hack on the company’s online servers.
“It is clear that no student group is immune to cyberattacks, and we encourage others to follow our lead and take permanent steps to secure their systems from unwanted interference,” Gong wrote. “Most organizations and offices on campus conduct business digitally, but I don’t think many groups fully realize the risk in relying on online platforms to host sensitive information.”
On the morning of Thursday, March 22, the day after the attack, The Corp’s senior leadership contacted various Georgetown administrators and University Information Services, whose officials provided technical guidance and support, according to Gong and Mondolfi.
Rachel Pugh, Georgetown’s senior director for strategic communications, did not comment on the details of the university’s response to the incident. Pugh said UIS continues to provide “advice and assistance” to The Corp.
“While their technology systems are separate from Georgetown’s, UIS understands The Corp is comprised entirely of our students and their customers are our students, faculty, staff and visitors so we continue to provide advice and assistance,” Pugh wrote in an email to The Hoya.
Chief Information Officer of UIS Judd Nicholson did not comment.
On the administration’s actions to help other campus organizations bolster their digital security after the incident, Pugh wrote, “UIS continues to engage its student technology advisory board on technology issues affecting students and strategies for communicating with the campus community about best practices.”
With the university’s support, The Corp has taken steps to strengthen its online security in the aftermath of the incident. University administrators put Corp leadership in contact with a security consulting firm after the incident to help strengthen their cybersecurity protocols, according to Gong.
Employees are now required to use two-factor authentication to access their Corp email accounts and to change their passwords monthly. Employees were also advised to update verification information when control of an account changes hands.
The onus is on student leaders to “implement common-sense protocols in our respective organizations,” Gong said, adding that it “wouldn’t hurt” if university administrators promoted sound cybersecurity practices more robustly.
“We’re continuing to cooperate with our partners in the administration to work through the technical logistics associated with the issue,” Gong wrote. “We’re extremely grateful to our partners in the administration for providing us with the resources necessary to resolve the issue in a timely fashion.”