A data breach through Georgetown University’s GU Experience internal information platform exposed students’ and graduates’ financial aid, social security numbers, GPA, admissions details and visa information.

Georgetown users who logged in to GU Experience between 8 a.m. Oct. 16 and 8:30 a.m. Oct. 17 could use the sidebar to access an administrative version of the website. This site contained a page marked “Insights,” which contained a folder named “Data-warehouse.” Within the “Data-warehouse” folder were multiple nesting folders which contained several spreadsheets with the personal information.

According to Doug Little, the university’s chief information officer, the leak was a result of a setting error in the GU Experience platform, known as Ellucian Banner. 

“Following a maintenance and outage period of the Banner student information system, a subset of student users in the GU Experience platform were able to access certain student data from current and former students,” Little wrote in an email sent to community members at 12:30 p.m. Oct. 17. 

“This was not the result of an external attack or security compromise of our system, but instead an inadvertent setting change that allowed a subset of existing users with GU IDs to gain access to data that would otherwise only be used by administrative staff,” Little added.

It did not appear that individuals could access the data without a Georgetown login, but the platform also allowed users to download and save this information to their personal devices. 

Information The Hoya viewed in one spreadsheet included personal information on students’ full names, tax IDs, dates of birth, genders, ethnicities, marital statuses, disability statuses, immigration and visa statuses and religions.

Other sheets contained financial aid information for students dating back to the 1990s, including comments university staff made on students’ financial aid reports related to financial aid amounts and details of family marital and medical history. The data included specific details of students’ financial aid, such as how much aid they had received from the university versus federal or other grants and how much of an unsubsidized loan a student had taken out for a semester.

Another spreadsheet included GPA information of students dating back to the ’90s, while another included detailed information on every Georgetown student enrolled in the university’s law, medical, graduate and undergraduate programs’ Spring 2024 GPA.

One file also included a roster of all applicants to Georgetown undergraduate and graduate schools and their admittance and enrollment status. Another file included the payroll of all university employees, though users could not directly access this dataset. 

Other files included students’ GRE and MCAT exam scores as well as their accompanying score percentiles.

According to Little, 29 users may have accessed unauthorized data. An email from Little sent at 12:04 p.m. Oct. 17 which The Hoya obtained instructed these users to delete any data they obtained and confirm the deletion to the university. 

“We take data security and the privacy of our students very seriously,” Little wrote in the earlier email to all community members. “We recognize this is unsettling news and regret that this occurred. We will continue to investigate this data exposure and implement safeguards to prevent it from happening in the future.”

According to an email Little sent to graduates at 1:27 p.m., only “student data” was available to unauthorized users. 

“No data from our alumni or donor systems was available or accessed by unauthorized users,” Little wrote in the email. 

A university spokesperson said that “student data” in this email referred to data relating to a person’s time as a student from application for admission to the university until graduation. 

However, data The Hoya viewed included both graduates’ personal information and information about their time as Georgetown students, including data relating to their academic performance, admissions, financial aid and social security and tax ID numbers. The Hoya did not find donor information in its investigation of the data set. 

The Hoya has destroyed all data accessed as a part of an investigation of the leak’s authenticity.

GU Experience uses software from the company Ellucian, which provides information technology to over 2,900 higher education institutions.

A spokesperson for Ellucian did not respond to a request for comment. 

The university’s internal data classification system describes personally identifiable information, social security numbers and student records as high-security data and directs university employees to maintain care for these records through secure platforms and printing services. University employees cannot store this data on their work or personal computers: These records must remain in the university’s authorized storage system and be destroyed or purged after it is no longer in use.

“The loss of its confidentiality, integrity, or availability would cause significant harm to Georgetown’s mission, security, finances, or reputation,” the university’s information security office writes on its site. 

Under the Family Educational Rights and Privacy Act of 1974 (FERPA), Georgetown may not release any information about current or former students without the student’s written consent, other than directory information, which includes names, addresses, contact information for students and their family and information on their time at Georgetown. Students have the right to deny the university the ability to release this directory information.