Cyber Incident Victim: George Mason University

On July 16, 2014, George Mason University detected a malware intrusion targeting its Travel Request Service application, a system used by faculty, staff, students, candidates, guest speakers, and others to book university-subsidized travel. The incident potentially affected up to 4,400 users of the system, which stored names and Social Security Numbers (SSNs). University officials, including Vice President for IT and CIO Marilyn Smith, stated there was no evidence that personal information had been viewed or accessed by unauthorized parties. The malware attack represented a potential compromise of the travel booking platform, though investigators could not definitively confirm whether unauthorized access to the system had occurred. The university initiated an investigation following the detection but found no conclusive proof of data exfiltration or unauthorized viewing of sensitive information.

In response to the incident, George Mason University notified all 4,400 potentially affected users via mailed letters and established a dedicated help line to address inquiries. The institution offered complimentary one-year memberships to ProtectMyID, a credit monitoring service designed to detect misuse of personal information. As a preventative measure, the university permanently removed all Social Security Numbers from the Travel Request Service system to eliminate future exposure risks. These actions were implemented despite the absence of confirmed data theft or viewing by malicious actors. The university maintained transparency about the investigative limitations, acknowledging the malware intrusion while clarifying that the scope of unauthorized access remained undetermined. No additional technical details about the malware’s entry vector, persistence mechanisms, or operational impact on the travel system were disclosed in the available public reporting.