Some applicants at three private liberal arts colleges report this week that they have received anonymous notes offering them the chance to buy their complete admissions files, including comments made on them by admissions officers, any ratings assigned to them, reports on interviews and in some cases the tentative decisions made on whether to admit them.
The image above is from Reddit and is reportedly what some applicants have received. While it remains unclear if the sender in fact has access to the admissions files as claimed, the person or persons who sent the message does have the names and contact information for some applicants of all three colleges -- information that would not normally be public, And some recipients report that the email appears to come from college admissions accounts.
Subsequent posts on Reddit said that the hackers were lowering the prices. As with many documents on Reddit, authenticity can't be determined, but officials familiar with the hacking said that these notes were in fact what applicants were receiving.
Grinnell on Thursday tweeted, "This morning Grinnell learned from some prospective students that they received an email from an individual claiming to have gained unauthorized access to a database containing personally identifiable information who would sell them access to their full admission file. If you receive(d) such a message, you are strongly advised not to respond. We have contacted appropriate authorities, including the Federal Bureau of Investigation, and will send out notification as soon as possible."
Hamilton released this statement to Inside Higher Ed: "On Monday, March 4, 2019, Hamilton College learned that an unauthorized person may have accessed the system that houses applicant information. Upon learning of the situation, Hamilton promptly began an investigation, engaged cybersecurity professionals to assist and took additional steps to prevent further unauthorized access to applicant records. Even though our investigation is ongoing we are reaching out to those who may have been affected by the incident. Safeguarding the privacy and security of all information, including applicant information, is of the utmost importance to Hamilton College, and we will continue taking steps to enhance the security of our IT systems."
A Hamilton spokesman said that while only a few applicants reported receiving the notes, the college has since reached out to all applicants.
Oberlin released this statement to Inside Higher Ed: "Oberlin College was recently the victim of a targeted attack that resulted in unauthorized access to personal information. The data compromised was limited to an Office of Admissions database. We have determined that access was gained to the database on Tuesday, March 5, from 2:45 a.m. until 6:49 a.m., at which point the college regained control of the account and action was taken to secure the database. An investigation is ongoing to determine the scope of the attack. Based on preliminary information that we have received, other colleges have been victims of similar attacks. Oberlin College is committed to maintaining a secure computing environment and preserving the confidentiality of our electronic information. We will continue to review and improve our security procedures to ensure that personal information is protected."
The Security Issues
Grinnell, Hamilton and Oberlin all use the services of Slate for handling applications and managing related documents.
Alexander Clark, CEO of Technolutions, of which Slate is a part, offered this take via email on what happened. "Slate was not hacked. Rather, an unauthorized party used weaknesses in the password reset systems operated by three colleges to gain access to the campus resources -- not just Slate -- to which the user had access. We are not aware of any other colleges that have been similarly impacted."
Clark noted a Twitter thread that suggested Slate was not at fault.
The admissions hacking incidents come the same week as reports that Chinese hackers were targeting 27 leading research universities, most of them in the United States, apparently focusing on research on undersea technology.
Gus Ortiz, a program manager at Jenzabar, said that the hacking incidents in admissions point to the need for colleges to take such threats seriously and to be willing to invest in defenses. "Higher education is aware of the changing and evolving cybersecurity threats facing it but has been reluctant to address this through their budgetary process. Failing to budget for enhanced network security is leaving the door open for becoming a cybervictim," he said.