Cybersecurity dilemmas are the difference between a door and a wall, according to my research methods professor Kerric Harvey. Online privacy protections should act as a wall between hackers and the private data they seek to steal. But once someone turns that wall into a door, it’s impossible to keep track of the keys to your personal information.
While GW still holds the keys to our private data, every member of our community needs to know if our personal information is secure. History proves that we can’t take the University’s word for it.
While most students rarely read the University’s promotion-filled emails in-full, I woke up to a frightening one last month. Its subject line and sender both caught my attention – “Alert: GW Cybersecurity Incident” from email@example.com. The email states “a malicious intruder” broke into GW’s directory and downloaded students’ information, but the hacker did not steal any data that was “sensitive” or “personal.”
The GW community received a fairly similar email from interim University President Mark Wrighton last February notifying them of a secret program that tracked their movement across campus in aggregate without their consent. Wrighton said that while “the technical capacity may exist to track individuals across our campus,” officials did not track individual people across our campus.
There’s clearly a pattern in how GW handles data privacy – trust us, whoever has your information hasn’t done anything bad with it. At least not yet. But that pitiful response to our data privacy concerns raises several questions. Can officials actually determine the damage these incidents cause? And how do we know that hackers can’t cover their tracks better than the University can chase them?
After hackers executed a ransomware attack at North Carolina Agricultural and Technical State University last April, they claimed to have stolen personal information like contracts and Social Security numbers. Much like GW reassures students of their data privacy, North Carolina A&T’s administrators said no students or faculty were affected in last April’s incident. Would we be so certain that our information is secure when – not if – GW is hacked?
There are two different data privacy issues facing every member of the GW community right now. The first deals with dangerous cyberattacks to which our campus continually falls victim. The second concerns GW’s reckless use of our data to advance its development projects. Both lead to one conclusion – the University isn’t responsible enough to handle our private information.
A total of 44 colleges and universities were attacked with ransomware in 2022, up from 26 campuses in 2021, according to Emsisoft, a company that works to decrypt ransomware and recover data lost in attacks.
Since May 2021, the GW community has suffered at least two ransomware attacks, one data breach and a credit-card hack on the University’s cap and gown vendor.
When a cyber attack struck GW Law’s academic database in December 2021, several students lost their completed final exams in the system’s crash. In the same week, hackers broke into Kronos, GW’s employee payment platform, and launched a ransomware attack compromising faculty and staff members’ GWIDs, Net IDs, campus addresses and other sensitive personal information.
The cyber attacks on GW Law School and Kronos each occurred while members of our campus community served as unwitting participants in a school-sponsored surveillance system. The University’s then-secret tracking program – ostensibly meant to assess population density across campus buildings – outraged students and faculty whose movement the program monitored throughout fall 2021.
Cybersecurity experts said news of the University’s extensive tracking capabilities actually made GW more vulnerable to ransomware attacks because it showed GW could access individualized data. And after officials touted a remodel of GW’s data privacy principles last fall, industry professionals were quick to point out that they were too brief, broad and outdated for students to feel safe. Before officials updated the University’s data privacy notice in January, experts noted “there’s certainly no details” in the outline of how they collect certain University data.
The University has renewed its public commitment to “safeguarding and maintaining the privacy of your personal information” with its updated data privacy notice. But has GW’s cybersecurity system become more of an open door than a brick wall? GW “deeply regrets” each of these top-down security failures, but the University’s credibility on data privacy has fallen through the floor. The data concerns of students, staff and faculty deserve GW’s absolute attention. But if officials can’t be clear about their commitment to our data privacy, we shouldn’t trust them to protect it.
From their email accounts to their location on campus, GW community members are correct in their concerns about the safety of their personal information. As the University continues the scramble to improve its outdated data privacy measures in 2023, we must demand that officials are transparent through every step in its process.
Matthew Donnell, a junior majoring in political communication and English, is an opinions writer.
This article appeared in the March 6, 2023 issue of the Hatchet.