BOSTON, July 25 -- Yale University complained to the FBI today that admissions officers from Ivy League rival Princeton University broke into Yale's online admissions notification system and snooped on student files.
Princeton issued an immediate apology and suspended its associate dean of admission.
Yale accused Princeton of viewing confidential decisions regarding 11 candidates who had applied to both schools -- in some cases, doing so before the students had learned whether they were accepted.
A security audit by Yale's Information Technology Services showed undergraduate admissions officers at Princeton used applicants' last names, birth dates and Social Security numbers as passwords to repeatedly hack into the system in April. No motive for the alleged breach was offered officially by Princeton or Yale.
"We're in the process of assessing the situation to determine if there is a federal violation," said FBI spokeswoman Lisa Bull.
Princeton has embarked on an investigation and has placed Stephen E. LeMenager, who began at Princeton as an admissions officer in 1983, on administrative leave after he acknowledged making "an unauthorized transmission," spokeswoman Marilyn Marks said.
"The actions reported today by the Yale Daily News represent a serious lapse of judgment by at least one member of our admissions staff. We take this matter very seriously, and we are investigating it as quickly and as thoroughly as possible," Marks said.
LeMenager could not be reached for comment. In remarks to the Yale Daily News, however, he said Princeton chose a random sampling of students whose Social Security numbers appeared on their Princeton applications to test the security of Yale's Web site. He said no harm was intended, and he did not know why certain records were accessed several times.
"It was really an innocent way for us to check out the security," LeMenager said.
At the least, Princeton violated student privacy, said Dorothy K. Robinson, Yale vice president and general counsel. No additional breaches were detected.
"We have therefore notified appropriate law enforcement authorities as well as the applicants whose Web locations were accessed," Robinson said. "We have also notified Princeton and expect that they will follow up appropriately."
Chris Michel, editor in chief of the Yale Daily News, which broke the story Thursday in a special online edition, said university officials learned of the security breach at an Ivy League deans' conference in June. A Princeton official casually mentioned that staff members had accessed students' records on Yale's admissions Web site, and a subsequent Yale investigation found records of 18 log-ins from Princeton computers from April 3 to 16.
Fourteen of the log-ins were traced to computers in the Princeton undergraduate admissions office, and 12 of those occurred on the day of the Yale Web site's activation, according to a confidential preliminary security report obtained by The Washington Post.
The report showed that individual applicants' accounts were accessed multiple times from different computers in the university's admissions office as well as by applicants, none of whom lived in Princeton.
"The scattering of accesses from different computers . . . indicates the culpability of more than one person," concluded Alexander G. Clark, a Yale junior who developed the online admissions decision system and conducted the security audit. "It also leads one to believe that these accesses were not conducted by a single person without the knowledge of others."
The encrypted Web site, activated for two weeks last spring for the first time, attracted about 1,200 of the nearly 1,500 admitted students and thousands of others who had not been admitted. It included a notice that "no one but the applicant should make use of this online facility." The warning also said, "Yale considers this information to be confidential and will investigate and act on any violation of its intended use."
At the first log-in, accepted students were greeted by the Yale fight song, celebratory messages and a display of virtual fireworks. If the applicant was admitted, subsequent log-ins allowed them to enter profiles with academic and extracurricular interests. Rejected students also received notification.
The decision screen did not appear after the first log-in, so students who had been preempted by Princeton officials did not receive the automatic notification.
The site also included sensitive information about financial aid letters, names and e-mail addresses of current Yale students and their interests, applicants' intended majors, and academic and extracurricular interests provided by students on the SAT, the security report showed.
"It is something that should not have happened," said Scott Grzenczyk, 18, whose account was breached.
Yale rejected Grzenczyk, a high school senior in St. Louis, in April. He plans to attend Princeton in the fall. The irony of that decision, he said, is now setting in. "I expect an apology or something along those lines in the near future," he said.
Observers said it was not clear what advantage, if any, Princeton could have gained, given the apparent lack of any systematic or widespread intrusions.
Apart from testing Internet security, "it's very hard to understand what any other explanation would be, given there's only 11 applicants involved," said William Fitzsimmons, dean of admissions and financial aid at Harvard University.
Some observers speculated that Princeton could use the inside information to woo students who had been accepted at both schools with extra solicitations and improved financial aid packages. However, Ivy League universities have honored an unwritten agreement not to contact students for five days after the release of decisions, Fitzsimmons said.
Princeton, meanwhile, faces not only public embarrassment, but also possible legal action, some experts said.
Computer access has been broadly interpreted by courts as unauthorized if the user does not have permission of the computer's owner, said Jennifer Granick, litigation director for the Stanford Law School Center for Internet and Society. Staff writer Ian Shapira contributed to this report.
