Peer Admissions Data Hack Heightens Cybersecurity Concerns

Julia Knoerr ‘21

Senior Staff Writer

Illustration by Richard Farrell ’22.

The college application process connotes privacy and confidentiality. However, recent admissions data hacks of several prestigious liberal arts colleges highlighted the increasingly high stress, competitive nature of this process by monetizing applicants’ information.

In early March, applicants to Grinnell, Oberlin, and Hamilton Colleges received emails offering admissions information in exchange for compensation. Images suggest hackers requested one bitcoin, or over $3,800, for applicants’ full case files, appearing to come from admissions email addresses. Targeting the password reset system, hackers gained access to campus resources, including the admissions platform Slate. Like these three peer institutions, Davidson also uses Slate as its admissions system.

Computer Science Professor Dr. Doug Locke overviewed common hacking methods: “The key…is what’s referred to as an attack vector….with any system you want to attack, the goal is to try to get in where you don’t belong.” Attack vectors act as mechanisms to access systems for mal intent by identifying vulnerabilities.

As some applicants experienced, passwords serve as the most common attack vectors. Locke elaborated, “Most people do a poor job at picking passwords…a lot of people use personal information.” Writing down passwords also creates risk.

To hack admissions data, unauthorized individuals could locate personal information online through scrapping, a process by which software mimics human web browsing to collect data across many websites.Gathering identifiers from online college directories and social media accounts, hackers could then attempt to change passwords.

Additionally, Locke discussed brute force attacks that breach log-ins by continuously attempting different passwords, though tightened restrictions have limited their effectiveness. Phishing emails also serve as highly effective tools that appear legitimate but incorporate links to fake sites with viruses. Perpetrators could have likely used phishing attacks to gather the information they offered.

Upon identifying one vector, hackers can use it to locate others. Locke observed, “Of course they’re hoping that you’ll have lots of status because the more status you have, the further they can get by using your information.” Consequently, he posited that hackers would target administrators to access more data than available through a student or faculty account.

Some current Davidson students who applied to Grinnell, Oberlin, and Hamilton in past years received emails informing them of the incidents.

A message from Grinnell College to Hope Anderson ’22 stated: “On March 7, 2019, the College learned that an unauthorized person accessed the system that houses admission-related information. Upon learning of the situation, we promptly began an investigation, engaged cybersecurity professionals to assist us, took steps to prevent further unauthorized access to applicant records, and reported the incident to the FBI.”

Although investigation is ongoing, the email offered, “at this time we have no evidence that any images or files of application essays, letters of recommendation, transcripts, or other supporting documents sent to us as part of an application for admission were compromised.”

After experiencing a similar event on March 4th, Hamilton College’s statement revealed, “Components of students’ applications for the Class of 2023 may have been accessed illegally, but data such as credit card information and social security numbers are encrypted in our database, and there is no evidence this information was obtained. Financial aid applications, current student records, and employee information are stored in different systems and were not affected by the incident.”

Comparatively, Oberlin College’s March 5th data breach impacted prospective students from 2014 forward and may have compromised social security numbers for students who registered for enrollment between 2014 and 2018. Oberlin’s Director of Media Relations, Scott Wargo, reassured: “The College regained control of the account and effective action was taken to secure the database within hours of the breach occurring. Oberlin College is committed to maintaining a secure computing environment and protecting all proprietary, confidential, and sensitive data.”

Such hacking attempts raise concerns for confidentiality and sensitivity in the college admissions process. Senior Admissions Fellow Luis Toledo ’20 shared, “It’s really important for anyone who works in admissions to know that it’s a really big responsibility. I didn’t know how much responsibility I had until I got to know Slate and got to know the program itself.”

While student staff members can access less information on Slate than full-time staff, Toledo indicated his training emphasized responsibility. He remarked, “The guideline is that we can access only information that we need…to be successful in [our] duties but nothing that will be of any personal gain or will satisfy any personal curiosity.”

Contemplating motives for hacking admissions files, Locke suggested financial gain and bragging rights as the most relevant goals. Toledo added, “I think part of it is not knowing what information might actually be there and…having access to something you are not supposed to have access to.”

Hannah Maltzan ’20, an admissions tour guide, contemplated why hackers specifically targeted Grinnell, Oberlin, and Hamilton. Noting similarities between the three, she offered, “They’re competitive schools to get into, and they’re a little bit more out of the eye of the majority of the population, so it’s easier to get away with things when people are always trying to look into the bigger schools.” Davidson’s parallel size and level of competitiveness attract comparable applicants and concerns.

However, Toledo highlighted the Honor Code’s influence on Davidson’s commitment to information security as a community expectation. He commented on the importance of establishing trust between prospective students and institutions, questioning, “Why would I want to come to a place where not even my information is safe? If I can’t even trust you to keep that little information I’ve given you as a prospective student, how can I allow you to have my social security number in the future, have my student ID, or [have] my bank accounts available to you?” Toledo has noticed more questions from prospective students surrounding applicant security since the hack attempts.

Although Davidson did not encounter system intrusion, Mark Johnson, Chief Marketing and Communications Director, and Kevin Davis, Chief Information Officer, sent a campus-wide email on March 9th to outline increased security precautions. Specifically, off-campus password reset halted, and Duo two-step identification expanded to all parties with access to Slate.

Slate claims hackers did not breach its system, as password resetters function separately. A common admissions software, “Slate was selected [for Davidson] among several competitors, because it was a superior system in how it aided our recruitment work, its intuitive operation and the variety of support functions it provides,” Johnson commented. Because Slate has functioned successfully in the past, Maltzan does not see reason to switch platforms; neither she nor Toledo is aware of any similar past incidents.

Prioritizing security, Davidson took immediate precautions upon learning of other colleges’ hacks from the vendor. Johnson noted, “Duo improves the security of logins because it requires you to have something beyond a password (like a security key or your phone) to log in to a system. A stolen or guessed password isn’t enough by itself to gain access to an account protected by Duo.” He anticipates extending Duo to more of Davidson’s campus by 2019 to allow staff to roll out multiple security projects.

Locke weighed Duo’s advantages and disadvantages. While two-level authentication can slow hackers, having access to an email account would still allow them to reset passwords. He added that multiple identification processes could take valuable class time from professors if one system fails to work.  

Computer Science major and Technology and Innovation (T&I) Student Technology Consultant Matthew Days ’19 added that while Duo is helpful, it could also be hacked. Similar to Locke, he considered difficulties in gaining campus support: “The problem with technology is that it changes all the time…and we don’t change as quickly as that.”

However, Days believes campus cybersecurity has vastly improved during his time at Davidson. After addressing particularly harmful phishing attempts when he first joined T&I, Days remarked, “The departmental response improved, and the campus-wide response also improved. I think it made the entire campus more secure. People are still being vigilant.”

Beyond T&I, Davidson Campus Police also plays a role in addressing cybersecurity concerns. An emailed response from Sargeant Vanessa Benson elaborated, “For reported incidents, dating back to April 2013, Campus Police investigated approximately 10 cases that involved suspicious activity over the internet where the suspect asked for personal identification or personal banking information from individuals via email within the Davidson College community. It’s important to know that of those reports Campus Police investigated, we must think of the incidents that are not reported.”

While the Grinnell, Oberlin, and Hamilton hacks exemplify highly publicized attacks, smaller-scale attempts are also common. Johnson noted, “T&I receives at least one report of a suspicious email most days of each week.”

As a result, Locke and Johnson urge community members to prioritize password security. The Davidson T&I website characterizes a strong password as one with no personal information, obvious phrases or usernames; a mix of uppercase and lowercase letters, numbers and spaces; and more than 15 characters. Locke recommends using a password manager to keep track of many unique passwords.

Furthermore, Benson advised, “If an individual receives an email or other cyber-based correspondence that seems suspicious, report it. T&I and Campus Police take each case seriously.”As technology evolves, Locke explained that new applications bring increased attack vectors. In response, Johnson summarized, “The greatest protections are the easiest ones, things like: change your password regularly, use a unique password for each site…don’t respond to unfamiliar emails, and don’t click on anything unless you have 100 percent confidence of who it is from and what it contains.”

Comments are closed.