On March 25, Grinnell College alerted several students through email and U.S. mail that their personal information, including social security numbers, might have been compromised by a hack in the system that houses the College’s admissions-related information. This notice follows the March 8 announcement sent as a special campus-wide memo that an unauthorized party had accessed the system.
On the morning of March 7, prospective students for the incoming class of 2023 alerted the admissions office that they had received emails apparently sent through the official College admissions account. The emails were signed by “Diane Evergreen, UDA International” and stated that they had gained access to a database containing admissions information and that the prospective students could purchase access to their full admission files for the price of one Bitcoin, or around $3,890. The offer claimed that the purchase would provide access to the individual’s comments by admissions officers, assigned ratings, interview report (if present), teacher recommendations and tentative decision of admission.
Some applicants received another email shortly after as well, offering to reduce the price. “We decided to lower the price to $60 dollars worth of Bitcoins. For this price you will get admissions comments and your interview report (if any),” the email stated.
The College quickly responded to the incident on its social media accounts the morning of March 7, urging anyone who had received the email not to respond to it.
“Upon learning of the situation, our information technology team shut down the intrusion within a matter of hours and confirmed the system was stable. We promptly began an investigation with the assistance of cybersecurity professionals, increased security protocols to prevent further unauthorized access to admission records, and reported the incident to the FBI,” Joe Bagnoli, vice-president for enrollment and dean of admissions & financial aid, wrote in an email to The S&B.
Two other private, liberal arts colleges, Hamilton College in New York and Oberlin College in Ohio, also reported attacks on their admission-related information as well, with the same offer to purchase admission files sent to applicants. Each college uses the software system Slate to manage admission information, and the original email sent to applicants declared “Let this message serve proof that Slate has indeed been breached.”
According to the Chronicle of Higher Education, however, Slate itself was not actually accessed by unauthorized users. Instead, it is likely that the unauthorized party reset a college staff member’s password to gain access to campus systems.
Although the March 8 campus memo stated that there was no evidence that any financial information had been accessed by unauthorized sources, many students now worry about the risk of stolen identity. All students who received a notice letter after March 25 are confirmed as individuals whose personal information was included in the data system files accessed in the hack.
In the notice letter, affected individuals were offered a complimentary two-year membership of Experian IdentityWorks Credit 3B. According to the notice, this product “helps detect possible misuse of your personal information and provides you with identity protection services focused on immediate identification and resolution of identity theft.”
The letter also provided information on taking additional steps to avoid identity theft and fraud. These include placing a fraud alert and security freeze on your credit file and obtaining a free credit report. Under federal law, anyone can receive one free credit report yearly from each major nationwide credit reporting company: Equifax, Experian and TransUnion LLC.
Some students feel that the College’s response to the hack has not been nearly strong enough. “I feel like the College, their response is lacking a lot. First of all, I mean, if they got our FAFSA then they could’ve gotten our parents’ social security numbers, and that’s something that the school hasn’t even addressed,” said Winnie Commers ’22. “And how much do these people really know? We have no idea, because all they’ve told us is ‘your info may have been hacked’ and it’s like, well you’ve got to tell us more! And I don’t feel like what they’ve given us is nearly enough.”
Following this incident, some questions and concerns have also been raised regarding its potential impact on enrollment for the class of 2023. However, admissions counselors do not believe this to be a pressing issue.
“We do not expect that the incident will impact enrollments. We have a large pool of qualified applicants for admission this year and believe enrollments will be stable in the fall. Nevertheless, we take this situation very seriously and sincerely regret the concern and inconvenience this may cause,” Bagnoli wrote.
For any individuals still concerned with how the compromised system may have affected their information, a confidential, toll-free call center has been established. Professionals familiar with the incident can be reached by calling 888-526-1229 from 8 a.m. to 8 p.m. from Monday through Friday. The investigation into this incident is ongoing.