College applicants received emails last week offering a “unique opportunity” to pay thousands of dollars to view their own admissions information collected by schools to which they had applied.
Hackers targeted the databases that hold admissions information of Hamilton College, Grinnell College and Oberlin College — three small liberal arts institutions in New York, Iowa and Ohio — all of which are managed by Slate, a popular admissions management software manufactured by Technolutions. Slate is used by more than 800 colleges worldwide and collects and manages data on applicants, including transcript data, extracurriculars, and the student’s family information.
According to a post on Reddit, hackers offered to hand over the information to prospective students of Grinnell College in exchange for one bitcoin, $3,847 as of this writing:
“Dear [NAME], You are now presented with a unique opportunity to purchase your entire admissions file:
Comments by Admissions Officers
Interview Report (if present)
Tentative Decision (if applying Regular)
We are charging 1 BTC (~$3890) for this data. Be aware that although the price tag is substantial, this offer presents a unique opportunity to look at yourself from the inside of Grinnell Admissions office absolutely unfiltered. To receive the service, send the amount to [bitcoin address] and write an email to [email] that contains one single string – your Bitcoin Transaction ID. If you don’t have the amount yet but are planning to purchase the service, you are welcome to drop an empty message to the named address so that in case of compromise you will be able to get in touch with us.
Let his message serve proof that Slate has indeed been breached. We look forward to working with you, [NAME]! Your birthday is on [BD].
Colleges are encouraging their applicants not to comply.
“If you receive(d) such a message, you are strongly advised not to respond. We have contacted appropriate authorities, including the Federal Bureau of Investigation, and will send out notification as soon as possible,” Grinnell College tweeted on March 7.
The schools have not disclosed how the hackers initially gained access to their systems, but Technolutions CEO Alexander Clark said that the hackers gained access to Slate by resetting the passwords of college employees at the three schools.
Reports indicate the emails to students from hackers appear to have been sent from official university addresses.
“We have advised all of our colleges and universities to review the security practices of their single sign-on and password reset systems,” Clark told the Wall Street Journal.
Viga Barrie, a spokesperson at Hamilton College, said that the school reached out to those affected after they began its investigation on March 4, but that no financial information was compromised.
“Data such as credit card information and social security numbers are encrypted in our database, and there is no evidence this information was obtained. Financial aid applications, current student records, and employee information are stored in different systems and were not affected by the incident,” a Hamilton statement reads.
A statement provided to EdScoop from Oberlin says hackers gained access to its systems on March 5, “at which point the College regained control of the account and action was taken to secure the database.” Counter to other reports, Oberlin says it has not yet heard of any of its students receiving emails from hackers.
Some students have reported hackers later reduced their prices to just $60 in exchange for slightly less information, but to no avail. As of this writing, the bitcoin address shared by the hackers shows zero transactions.