[BreachExchange] Hackers breach admissions files at three private colleges

[Destry Winant]

https://www.washingtonpost.com/education/2019/03/08/hackers-breach-admissions-files-three-private-colleges/?noredirect=on&utm_term=.fe1ce565372f

Applicants to three private colleges this week discovered just how
steep the price of admission can run.

Hackers breached the system that stores applicant information for
Oberlin College in Ohio, Grinnell College in Iowa and Hamilton College
in New York and emailed applicants, offering them the chance to buy
and view their admissions file. For a fee, the sender promised access
to confidential information in the applicant’s file, including
comments from admissions officers and a tentative decision. The emails
demanded thousands of dollars in ransom from prospective students for
personal information the hackers claimed to have stolen.

All three schools use Slate, a popular software system, to manage
applicants’ information. Slate is used by more than 900 colleges and
universities worldwide. The company is not aware of other affected
colleges, said Alexander Clark, chief executive of Technolutions,
Slate’s parent company. Officials from the affected schools declined
to comment on the scope of the data breach.

Cybersecurity is a growing concern among colleges and universities.
The incidents occurred the same week a report revealed that Chinese
hackers had targeted more than two dozen universities in the United
States and other countries in an effort to steal research about
maritime technology being developed for military use.

Images circulating on Reddit and College Confidential message boards
show the admissions emails appear to come from official college
addresses. The emails promise recipients access to their admissions
file for a ransom of one bitcoin — more than $3,800. Other applicants
on Reddit claimed a subsequent email lowered the price to $60 for a
more limited amount of information.

Grinnell addressed the hacking Thursday on Twitter.

“This morning Grinnell learned from some prospective students that
they received an email from an individual claiming to have gained
unauthorized access to a database containing personally identifiable
information who would sell them access to their full admission file,”
the statement read. “If you receive(d) such a message, you are
strongly advised not to respond. We have contacted appropriate
authorities, including the Federal Bureau of Investigation, and will
send out notification as soon as possible.”

Grinnell spokeswoman Debra Lukehart said the school is continuing its
investigation. The college has not found evidence of prospective
students’ financial information being compromised, she added.

Hamilton College learned Monday someone gained unauthorized access to
its admissions system, said Vige Barrie, a college spokeswoman. Some
applicants received an email offering to provide application
information for payment. Barrie said the hackers may have obtained
some information from student applications, but there has been no
evidence applicants’ Social Security numbers or credit card
information was compromised.

Hamilton College “promptly began an investigation, engaged
cybersecurity professionals to assist, and took additional steps to
prevent further unauthorized access to applicant records,” Barrie
said. She said the college has contacted the FBI and will continue to
contact those affected by the incident.

Oberlin applicants received an email Thursday from Manuel Carballo,
vice president and dean of admissions and financial aid at Oberlin,
acknowledging the hack. In the statement, Carballo said the incident
affected a “limited number of prospective students and applicants” and
students who enrolled at Oberlin during or after the 2014 fall
semester.

Oberlin spokesman Scott Wargo said the college has not received
reports of prospective or current students receiving emails from the
hacker.

Victims may have had their name, address, birthday, email and other
admissions data compromised, according to the email. Carballo said
Social Security numbers for students completing the new student
registration process at Oberlin between fall 2014 and fall 2018 were
potentially exposed.

“We deeply regret that this situation has occurred and are aware of
how important your personal information is to you,” Carballo wrote in
the statement. “On behalf of Oberlin College, please accept my sincere
apology for any difficulties this incident may cause you.” He said the
school is working with federal authorities to investigate the incident
and suggested applicants place a fraud alert on their credit reports.

Parents and prospective students from the three colleges congregated
on Reddit and College Confidential message boards to vent their
concerns about the compromised security of personal information.

Some tried to find humor in the situation. “I hope they don’t leak my
essays, because they’re horrendous,” one Reddit user wrote.