Hackers Steal Applicant Data from Three US Colleges

Three US Colleges Hacked

Last week, applicants for three US colleges – Hamilton in New York, Oberlin in Ohio, and Grinnell in Iowa – started receiving some strange emails. On the face of it, the messages looked like they were coming from the schools, but the contents told a different story.

Hackers trying to do business

The emails were sent by a bunch of cybercriminals who were giving recipients what they called "a unique opportunity". The applicants had the chance to take a peek at their own admission files which the hackers had managed to steal from the three colleges. The files in question contained comments from admission officers, ratings, teacher recommendations, and, in some cases, tentative decisions and interview reports.

To prove that they're not messing about, the crooks addressed applicants by their name and included their correct dates of birth in the emails. The criminals told affected individuals that they got their hands on the data after breaching Slate, a CRM platform designed and used by higher education institutions.

Of course, they weren't giving away the information for free. To get the privilege of taking a look at what colleges thought of them, the applicants needed to pay 1 Bitcoin (or around $3,800). Those who couldn't raise the money immediately were told to contact the crooks who would offer a solution.

Hackers failing to do business

The price tag, you have to agree, is rather hefty, but apparently, the crooks thought that it can be justified. What they were offering was not easily accessible, and they were sure that there will be no shortage of people willing to get their hands on the stolen information. So, did it work?

Not really. The discussion on Reddit and the message boards shows that overall, the applicants aren't very keen on paying this kind of money in exchange for their admission files. The crooks realized that the initial price was a bit silly and sent out a follow-up email a couple of days later saying that for just $60, the applicants can get a portion of the data. Even that didn't work.

Today, almost a week after the first emails started flying around, the criminals' bitcoin wallet has registered no incoming or outgoing transactions.

The crooks still have the data

The hackers' initial attempts to monetize the stolen files failed spectacularly, but they still have them, and they'll probably try other means of getting some money from them. But how likely are they to succeed?

The Washington Post got in touch with the three colleges and asked what sort of information was stolen. It turns out that in addition to names, addresses, emails, and birthdays, some Social Security numbers might have been exposed which is not good news. On the bright side, the spokespeople said that financial data was not compromised, but they preferred not to comment on the number of affected individuals, which means that the scope of the breach remains unknown.

Was Slate really hacked?

Hundreds of universities and colleges across the globe use Slate which means that the platform is responsible for handling quite a lot of data. Needless to say, the crooks' claims that Slate had been compromised made quite a lot of people rather nervous.

According to Technolutions, Slate's developer, however, there's nothing to worry about. The software vendor reckons that the attack succeeded because of a vulnerability in the Single Sign-On systems used by the three colleges. A Single Sign-On system can allow access to multiple different resources (including Slate) with a single set of login credentials. Its goal is to reduce password fatigue, and it's used by thousands of organizations all around the globe. Apparently, the hackers managed to either phish or reset some Single Sign-On credentials, logged in to Slate, and made off with the data.

Given that there isn't that much publicly available information, affected applicants can do little more than keep their eyes peeled, especially in light of the possibly exposed Social Security numbers. As for universities and colleges, they could do worse than understand that they're responsible for protecting the data of many people. Keeping it as safe as possible is of utmost importance.

March 18, 2019