Cyber Attackers Breach Admissions Database

Ananya Gupta

Students use desktop computers in the Mary Church Terrell Main Library shortly after Admissions suffered a cyber attack.

A database controlled by the Office of Admissions and Financial Aid was the victim of a targeted cyber attack carried out by unknown persons Tuesday morning. The attackers were able to collect information about prospective, current, and former students who enrolled during or after fall 2014.

The individuals responsible specifically attempted to gain access to the Admissions database five times Tuesday morning by attempting to log into various accounts. They finally breached the security system at 2:45 a.m., using a system flaw in the “reset your password” function on OCPass, which is provided by independent identity management software company Avatier. The problem has since been fixed on OCPass.

The hackers had access to the database until 6:49 a.m. — about four hours — when they were shut out of the system by Center for Information Technology staff, who were able to change the password of the hacked account. Access information for all admissions accounts has since been changed.

“We can’t know for sure why they chose this database, obviously, but this was a human being or a group of human beings specifically trying to access this database — this was a targeted attack,” said Ben Hockenhull, director of CIT.

CIT staff are still determining what specific data was accessed and if it was downloaded. The database in question contained names, birthdates, home addresses, phone numbers, email addresses, parent information, information concerning admissions files, and, in some cases, Social Security numbers.

It appears that the attack may have been part of a coordinated effort against colleges across the country. Reports on Reddit and other social media outlets allege a similar breach targeted a Grinnell College database, which was followed by mass emails to current applicants, offering their entire admissions packets, including admissions decisions and commentary from their personal admissions officers for a ransom. Originally, the hackers emails asked the high schoolers for $3,890 — the equivalent of one bitcoin — but have since reduced the price to $60. Hamilton College may have also been affected.

The FBI has been notified, but Hockenhull is not confident they will be able to identify the attackers.

“I doubt we’ll ever be able to find out who did it,” Hockenhull said. “With stuff like this, people just disappear.”

Scott Wargo, director of media relations, added that the attack was not due to negligence on Oberlin’s part.

“It’s a tough situation because Admissions didn’t do anything wrong,” Wargo said. “It was a targeted attack, which is the frustrating part. We couldn’t have prevented it.”

After an extensive search and review process, CIT has no reason to believe that any other systems or databases have been compromised and stressed that Oberlin’s financial aid information is in a separate database, which was not breached.

President Ambar alerted 4,200 current and former students about the breach via email yesterday. Parents and prospective students will receive notifications as well.

In the email, Ambar expressed her regrets for the breach and emphasized Oberlin’s commitment to confidentiality and cybersecurity.

“Oberlin College is committed to maintaining a secure computing environment and preserving the confidentiality of our electronic information,” she wrote. “We will continue to review and improve our security procedures to ensure that personal information is protected. We deeply regret that this situation has occurred and are aware of how important your personal information is to you. On behalf of Oberlin College, please accept my sincere apology for any difficulties this incident may cause you.”

For some students, the attack is a frightening reality of living in the digital age.

“I think its always scary to hear that your information has been breached in a way you weren’t aware of or comfortable with, and it further highlights the susceptibility of Oberlin to instances like this in today’s day and age,” College senior and Computer Science minor Hayley Drapkin said. “I think that as this issue grows — and it has been growing over the past 10 years — as data grows more valuable, it’s more important on the side of the College to ensure all student, faculty, and prospective students’ data are safe.”

For others, the breach was slightly less concerning.

“I was a little upset, a little shocked. I thought it was kind of hilarious at first, but the more it sits with me, the more I’m like, ‘Wow, this is really, really messed up,’” College junior Jack Mckeown said. “Because they also lost [information of] people who don’t even go here. … I actually sent a screenshot of it to all my high school friends.”

In her email, Ambar also provided links to numerous cybersecurity resources and said the College will be providing free credit monitoring services to those who are interested.