Online Intrusion into Stanford University's Computer Nets Little

March 4, 2005
Hacker helped 41 access system to learn of admissions, but info had not been loaded yet

Computer intruders broke into Stanford University's business school admissions process -- but failed to learn the status of their applications.

According to Stanford, 41 people surreptitiously entered the "back door" of an online admissions program through the aid of a computer hacker.

But their impatience didn't pay off -- Stanford doesn't post its decisions online until March 31, the official announcement date.

"Our internal controls worked perfectly, because they were designed with the expectation that it was only a matter of time before someone tried to hack into the online application," said Derrick Bolton, director of admissions for Stanford's MBA program.

Harvard, Duke and dozens of other business schools were hit by the security breach.

Some of the schools had already posted decisions online, where they were viewed by intruders.

The breach occurred after an unidentified hacker posted how-to instructions on Business Week's online technology forum at 12:15 a.m. Wednesday, describing how applicants could log onto schools' sites to see if they had been accepted or rejected. The instructions stayed up for about nine hours, until removed by Business Week.

The hacker took advantage of an online application and notification program called ApplyYourself, made by a Fairfax, Va., company.

The days of waiting for an envelope to arrive in the mail are long gone -- instead, applicants now log onto the ApplyYourself Web site to learn whether they have been accepted, rejected or wait-listed.

The instructions were posted by someone who called himself "brookbond." The Harvard Crimson newspaper said "brookbond" used the technique to find out his own admission status at Harvard Business School.

The fate of the intruders is in limbo. Officials with ApplyYourself say they can identify which files were accessed -- and will pass on the names to school officials, who are likely to re-evaluate those applicants in a harsher light. Stanford has been given the names of its tampered-with files.

But it could be tough to blame the applicant.

"The major issue is: You don't know if the applicant accessed his or her own account, or if it was parents, a spouse or a roommate," said Bolton.