The Washington PostDemocracy Dies in Darkness

Hackers breach admissions files at three private colleges

Applicants to Oberlin, Grinnell and Hamilton received a suspicious email offering them the chance to buy their admission files.

Oberlin College was one of three schools affected by an admissions data breach. (Tony Dejak/AP)

Applicants to three private colleges this week discovered just how steep the price of admission can run.

Hackers breached the system that stores applicant information for Oberlin College in Ohio, Grinnell College in Iowa and Hamilton College in New York and emailed applicants, offering them the chance to buy and view their admissions file. For a fee, the sender promised access to confidential information in the applicant’s file, including comments from admissions officers and a tentative decision. The emails demanded thousands of dollars in ransom from prospective students for personal information the hackers claimed to have stolen.

All three schools use Slate, a popular software system, to manage applicants’ information. Slate is used by more than 900 colleges and universities worldwide. The company is not aware of other affected colleges, said Alexander Clark, chief executive of Technolutions, Slate’s parent company. Officials from the affected schools declined to comment on the scope of the data breach.

Cybersecurity is a growing concern among colleges and universities. The incidents occurred the same week a report revealed that Chinese hackers had targeted more than two dozen universities in the United States and other countries in an effort to steal research about maritime technology being developed for military use.

Images circulating on Reddit and College Confidential message boards show the admissions emails appear to come from official college addresses. The emails promise recipients access to their admissions file for a ransom of one bitcoin — more than $3,800. Other applicants on Reddit claimed a subsequent email lowered the price to $60 for a more limited amount of information.

Grinnell addressed the hacking Thursday on Twitter.

“This morning Grinnell learned from some prospective students that they received an email from an individual claiming to have gained unauthorized access to a database containing personally identifiable information who would sell them access to their full admission file,” the statement read. “If you receive(d) such a message, you are strongly advised not to respond. We have contacted appropriate authorities, including the Federal Bureau of Investigation, and will send out notification as soon as possible.”

Grinnell spokeswoman Debra Lukehart said the school is continuing its investigation. The college has not found evidence of prospective students’ financial information being compromised, she added.

Hamilton College learned Monday someone gained unauthorized access to its admissions system, said Vige Barrie, a college spokeswoman. Some applicants received an email offering to provide application information for payment. Barrie said the hackers may have obtained some information from student applications, but there has been no evidence applicants’ Social Security numbers or credit card information was compromised.

Hamilton College “promptly began an investigation, engaged cybersecurity professionals to assist, and took additional steps to prevent further unauthorized access to applicant records,” Barrie said. She said the college has contacted the FBI and will continue to contact those affected by the incident.

Oberlin applicants received an email Thursday from Manuel Carballo, vice president and dean of admissions and financial aid at Oberlin, acknowledging the hack. In the statement, Carballo said the incident affected a “limited number of prospective students and applicants” and students who enrolled at Oberlin during or after the 2014 fall semester.

Oberlin spokesman Scott Wargo said the college has not received reports of prospective or current students receiving emails from the hacker.

Victims may have had their name, address, birthday, email and other admissions data compromised, according to the email. Carballo said Social Security numbers for students completing the new student registration process at Oberlin between fall 2014 and fall 2018 were potentially exposed.

“We deeply regret that this situation has occurred and are aware of how important your personal information is to you,” Carballo wrote in the statement. “On behalf of Oberlin College, please accept my sincere apology for any difficulties this incident may cause you.” He said the school is working with federal authorities to investigate the incident and suggested applicants place a fraud alert on their credit reports.

Parents and prospective students from the three colleges congregated on Reddit and College Confidential message boards to vent their concerns about the compromised security of personal information.

Some tried to find humor in the situation. “I hope they don’t leak my essays, because they’re horrendous,” one Reddit user wrote.