Hackers Broke Into Admissions Databases at 3 Colleges — and Then Offered to Sell Applicants Their Files

On Thursday morning a high-school senior in Texas received a strange email. “You are now presented with a unique opportunity,” it said, “to purchase your entire admissions file.”

The message appeared to have been sent by Grinnell College, to which the student had applied. But Grinnell hadn’t sent the message; apparently, someone outside the Iowa campus had. Whoever it was claimed to have accessed the college’s admissions database. As if to provide proof, the message included the applicant’s correct date of birth.

The mysterious sender offered the student a chance to see his file, including comments by admissions officers, assigned ratings, interview notes, teacher recommendations, and a tentative decision. “Although the price tag is substantial,” the message said, “this offer presents a unique opportunity to look at yourself from the inside of Grinnell Admissions office absolutely unfiltered.” All he had to do was pay one Bitcoin, or about $3,900.

That student wasn’t alone. Other applicants to Grinnell, as well as to Hamilton College, received the same message, though it wasn’t immediately clear how many. In a tweet on Thursday, Grinnell said it had learned that “some” prospective students had received the offer. The college urged recipients not to respond to the message, and said that it had contacted the Federal Bureau of Investigation.

Debra Lukehart, vice president for communications at Grinnell, told The Chronicle that applicants’ financial information and admissions data are stored separately. The college, she said, was poised to hire a data-security expert to aid in its investigation of the incident.

In an email to The Chronicle, Michael J. Debraggio, associate vice president for communications at Hamilton, confirmed that multiple applicants had received an email offering information about their application files in exchange for Bitcoin. The New York college was investigating the incident, he said, and had contacted all applicants to inform them of a possible data breach, “to be safe.”

Earlier this week, Monica C. Inzer, Hamilton’s vice president for enrollment management, sent an email to applicants explaining that the college had noticed “suspicious activity” in its admissions database. Though some components of students’ applications might have been viewed by outsiders, she wrote, “data such as credit-card information and Social Security numbers are encrypted in our database, and there is no evidence that this information was obtained.”

Was Slate Breached?

Grinnell and Hamilton have something in common: They both use Slate, a popular software system, to manage their vast troves of applicants’ information. The email offering to sell applicants hacked information said: “Let this message serve proof that Slate has indeed been breached.”

Not so, according to Slate’s creator. “Slate remains secure, and Slate has not been accessed without legitimate user credentials,” Alexander Clark, chief executive officer of Technolutions Inc., wrote in an email to The Chronicle on Thursday. “We are aware of three colleges where an unauthorized party used the college’s password-reset system (hosted by the college, not by Technolutions/Slate) to reset a college staff member’s password and then used that legitimate user account to gain access to their Slate database and to other campus systems.”

Clark declined to name the third institution that had been affected, but The Wall Street Journal reported that it was Oberlin College, in Ohio.

Slate is used by more than 800 colleges worldwide. Last year the system transmitted 1.6 billion emails, seven million text messages, and 8.5 million new applications.

Technolutions, Clark said, had advised colleges using Slate to review security practices for their single sign-on and password-reset systems. In an email to Slate users on Thursday the company strongly encouraged the use of two-factor authentication in single sign-on systems.

Cut-Rate Hackers

Who was behind the scheme? College officials could only guess. The Chronicle did not receive an immediate response from the email address included in the message to the students.

The email offer to applicants was signed “Diane Evergreen.” Beneath that name was “UDA International.”

The message concluded cheerfully: “We look forward to working with you, [applicant’s name]!” Apparently, there were no takers: A link to the Bitcoin address on Blockchain showed no transactions as of late Thursday afternoon.

Not long after receiving the email, some Grinnell applicants received a follow-up message from Diane Evergreen that also appeared to come from the college. The email explained that the initial offer had been greatly reduced: “We decided to lower the price to $60 dollars worth of Bitcoins. For this price you will get admissions comments and your interview report (if any).”

But there was no price tag for the headache that the incident was sure to cause for affected colleges. On Thursday morning a discussion of the messages erupted on Reddit. Some users who said they had received the emails expressed concern for the safety of their personal information.

“I hope they don’t leak my essays,” another wrote, “cause they are horrendous.”

And perhaps this sentiment was inevitable: “I will pay 1 BTC for Ivy League admissions hack …”

Eric Hoover writes about the challenges of getting to, and through, college. Follow him on Twitter @erichoov, or email him, at eric.hoover@chronicle.com.