...but not really.
Needless to say, this was HUGE news late last week:
On Thursday morning a high-school senior in Texas received a strange email. “You are now presented with a unique opportunity,” it said, “to purchase your entire admissions file.”
The message appeared to have been sent by Grinnell College, to which the student had applied. But Grinnell hadn’t sent the message; apparently, someone outside the Iowa campus had. Whoever it was claimed to have accessed the college’s admissions database. As if to provide proof, the message included the applicant’s correct date of birth.
The mysterious sender offered the student a chance to see his file, including comments by admissions officers, assigned ratings, interview notes, teacher recommendations, and a tentative decision. “Although the price tag is substantial,” the message said, “this offer presents a unique opportunity to look at yourself from the inside of Grinnell Admissions office absolutely unfiltered.” All he had to do was pay one Bitcoin, or about $3,900.
That student wasn’t alone. Other applicants to Grinnell, as well as to Hamilton College, received the same message, though it wasn’t immediately clear how many. In a tweet on Thursday, Grinnell said it had learned that “some” prospective students had received the offer. The college urged recipients not to respond to the message, and said that it had contacted the Federal Bureau of Investigation.
Debra Lukehart, vice president for communications at Grinnell, told The Chronicle that applicants’ financial information and admissions data are stored separately. The college, she said, was poised to hire a data-security expert to aid in its investigation of the incident.
In an email to The Chronicle, Michael J. Debraggio, associate vice president for communications at Hamilton, confirmed that multiple applicants had received an email offering information about their application files in exchange for Bitcoin. The New York college was investigating the incident, he said, and had contacted all applicants to inform them of a possible data breach, “to be safe.”
[...]
Grinnell and Hamilton have something in common: They both use Slate, a popular software system, to manage their vast troves of applicants’ information. The email offering to sell applicants hacked information said: “Let this message serve proof that Slate has indeed been breached.”
Not so, according to Slate’s creator. “Slate remains secure, and Slate has not been accessed without legitimate user credentials,” Alexander Clark, chief executive officer of Technolutions Inc., wrote in an email to The Chronicle on Thursday. “We are aware of three colleges where an unauthorized party used the college’s password-reset system (hosted by the college, not by Technolutions/Slate) to reset a college staff member’s password and then used that legitimate user account to gain access to their Slate database and to other campus systems.”
Oof.
At Penn State we have just engaged with Slate and are in phase I of the "roadmap". As soon as this news came down, several different staff came to me with concerns about our move to use Slate. The overwhelming question was, "What if it's not secure?"
In reading all of the articles around the web, coupled with the message that came from Alexander Clark himself to the Slate community:
We are aware of an unauthorized party that has used legitimate user credentials to gain access to Slate and other campus systems. This party has used the password reset systems of a college's single sign-on system to change the passwords of college staff. The single sign-on and password reset systems are hosted by the college, not by Technolutions/Slate.
...I am confident of two things:
- Slate itself has not been compromised, and;
- Grinnell and Hamilton colleges (and anyone else who fell victim to this "hack") will shortly be instituting two-factor authentication for all of their systems.
Penn State has long had two-factor authentication for our student information system and in the last five years or so has instituted 2FA for all administrative systems (including our email).
But back to the original article...
Not long after receiving the email, some Grinnell applicants received a follow-up message from Diane Evergreen that also appeared to come from the college. The email explained that the initial offer had been greatly reduced: “We decided to lower the price to $60 dollars worth of Bitcoins. For this price you will get admissions comments and your interview report (if any).”
But there was no price tag for the headache that the incident was sure to cause for affected colleges.
Headaches indeed. I can only imagine.
Categories:
Admissions,
Work