College unaffected as three schools find admission files breached

Danny Jin

The College’s admission database remains secure, according to the office of admission and the office for information technology (OIT), after three liberal arts colleges saw their databases hacked last week.

Some applicants to Grinnell, Hamilton and Oberlin received emails on Thursday morning offering them to purchase their admission files at the cost of one bitcoin, approximately $3890. Signed “Diane Evergreen, UDA International,” these emails identified applicants’ correct date of birth and claimed to present “a unique opportunity” to access “comments by admissions officers,” “assigned ratings,” “interview report (if present),” “teacher recommendations” and “tentative decision (if applying regular).” Discussions ensued on Reddit amongst students who had received the emails, and some wrote that they received a later email lowering the price to $60. A Reddit account with the username “devergreenuda” added comments revealing applicants’ name, sex, citizenship and race. A link to the bitcoin address showed no transactions as of press time. In a March 7 tweet from its official account, Grinnell urged students not to respond to the email, adding that the college had contacted “appropriate authorities, including the Federal Bureau of Investigation.”

Although the email claimed that Slate, a popular admission management software system, had been breached, Slate’s manufacturer stated that the unauthorized party had gained access to the schools’ individual accounts rather than to Slate’s system. Grinnell, Hamilton and Oberlin – as well as the College and over 900 other colleges and universities – use Slate as their platform for admission data.

“Slate was not hacked,” Technolutions CEO Alexander Clark told Inside Higher Education. “Rather, an unauthorized party used weaknesses in the password reset systems operated by three colleges to gain access to the campus resources – not just Slate – to which the user had access.”

While confirming that the College’s systems had remained secure, Chief Information Officer Barron Koralesky emphasized the importance of two-step verification and other cybersecurity measures that the College has taken to prevent compromisation of accounts. 

“If those colleges had had two-step, even if the passwords got stolen, that person couldn’t have gotten into Slate to get the students’ information,” Koralesky said. “The important part of two-step is that even if their passwords were changed or compromised, a scammer could not have logged into the admission system without the second factor… Those people’s usernames and passwords were used to access admission information for those schools, so it really goes to show that passwords alone are not secure enough anymore.”

Admission staff members are already required to use two-step, and all students at the College will be required to set up two-step for their Google accounts by April 10. Two-step requires an additional mode of verification so that a stolen password alone cannot provide unauthorized access to an account. OIT has put several educational posts in daily messages, and Director of Client Services Seth Rogers has sent emails reminding students of effective security measures.

“The biggest thing is education,” Koralesky said. “It’s really the people who are best going to protect our information – taking care of their passwords, signing up and using two-step, putting sensitive data only in places where it’s allowed and well protected.”

OIT has instituted an incident response plan to work through potential breaches, as well as a data classification project to safeguard sensitive information. It has also encrypted campus computers to prevent data loss in case of theft. According to Koralesky, information security has been one of OIT’s key concerns in recent years, and technical controls such as firewalls have long been in place to restrict unauthorized access to information.

Prior to the cyberattacks on the three liberal arts colleges,  The Wall Street Journal reported that Chinese hackers were targeting U.S. research universities in an attempt to steal military secrets. Koralesky said that there is no cause for increased concern about a potential breach at the College, although OIT is continuing to bolster cybersecurity by taking preventative measures.

“We’re doing everything we can to lower our risk, and we’ve been doing that for a long time,” Koralesky said. “It’s just that the information security world is getting more and more dangerous… I think Williams isn’t the biggest target, but we need to be careful about our security, too.”