@PengsPhils Thank you! This is very helpful. I have the actual emails my daughter got, and they do look legit. (No typos in the address. Same email address as previous emails from admissions)
The one thing I’m confused about is that the Hamilton breach seems to be on a different (lesser) level and to have affected far fewer students … and none have said (to my knowledge) that identifying info was included in the email to them.
Also, we did submit a special circumstances appeal with tons and tons of extra financial information through their portal, upon request, so I certainly hope that is segregated from application information.
Thanks for the info! It looks like they then sent the email via Slate while they still had access. Now that it’s been discovered, they should no longer have access and emails from this point onward are likely trustworthy, though probably worth some double checking for a while.
In regards to submitted documents, at this point the question is what parts of a school’s portal integrate with Slate, and what data did the bad actors download. My guess is it’s probably okay given that this part of Slate doesn’t appear to be integrated with FA based on the statements given thus far. Something to keep an eye on, but I wouldn’t lose sleep on it yet.
This could be for many reasons - they could be trying two different approaches to see if one works better, the colleges could store less information in Slate / only use some features, they could have mistakenly not gotten emails from one and had to spam many accounts and hope it was one of the students based on names, etc. I wouldn’t read into and wait for final reports / statements from the colleges.
I think this is the case. With the FBI now involved/alerted and no actual “hacking” occurring besides a password reset, there’s probably a good amount of metadata (Geolocated IP being a big one) logged via Slate that could lead to a possible full recovery of the data. Based on $0 earned so far and the hilarious change in pricing of the data, I’m betting this was amateurs looking to make a buck that are very much regretting their decision and wouldn’t even know how/where to sell this data if they wanted to, which is generally very low value it seems.
I’d say it’s on both: Slate for not having secure defaults, and the colleges for not changing to better security practices that would seem to be used by other colleges who also use Slate and were not hit.
I don’t know why the reports keep saying it remains unclear whether the hackers have the information or are just saying that they do. S19’s email (like many others) lists his birthday, the standardized test he took, and the name of his interviewers. They obviously got the file…or at least some of it.
I think Grinnell needs to send an email out to students and let them know what the hackers have. Or at least send an email saying they are working furiously on it and will let us know if we should be worried about SS#s or anything else important that might have been taken. All they’ve done is update social media. No emails directly to the kids.
Hi! I’m a higher education reporter at the Washington Post doing a write-up of the email hacks at Oberlin, Hamilton and Grinnell & their effects. Would love to ask you about your experience, feel free to reach out to morgan.smith@washpost.com
@homerdog - sadly my college-age D already got her SSN and such hacked in the Equifax breach (so did I). We froze our credit back then and keep it that way.
Maybe not a bad idea for any victims of this hack, and it’s now free to freeze and unfreeze, by law. We froze 5 agencies - the big 3 and 2 that mostly handle checks.
@OHMomof2 Hm. As far as I know, S19 doesn’t have his SS# on anything financial right now. I’ll double check with my husband in case I’m forgetting something. All he has is a savings account attached to our accounts at our bank.
Freezing credit is a good idea, a SS# and bday is enough info to steal identities. When my info was part of one of the past breaches, one of the remedies was free credit and identity theft monitoring for one year…I can’t remember if it was thru Experian or Lifelock, but one of the companies like that.
@Mwfan1921 I said no thanks to the free monitoring service, offered by the same agencies that allowed my data to be stolen! The freeze//unfreeze is a little bit of a pain but the safest option IMO.
a friend just got a very detailed email from oberlin … says exactly how long the database was circumvented for … Oberlin’s email says that the financial aid database was not compromised and that “social security numbers were potentially exposed only for students completing the new student registration process for enrollment at Oberlin between fall 2014 and fall 2018” … so, that’s potentially bad news for those students.
it goes on to explains how to put fraud alert on credit reports etc
i’m glad Oberlin is being transparent and wish Grinnell was saying more.
Email From: lines are frequently forged. You need to check the full headers of the email and compare them to known-legitimate email from Grinnell to see if the email was actually sent from Grinnell. Of course, it is possible that a cracker who stole an admissions employee’s credentials could use access to the Grinnell system to send email from the Grinnell system.