FBI, Princeton to investigate breach of Yale admissions Web site

Computerworld - The FBI and Princeton University have opened investigations involving a Princeton admission official who improperly logged into a Web site for students applying to rival Yale University.
In a statement today, Princeton officials acknowledged the incident, which occurred in April, when at least one admissions department worker "used the Social Security numbers of a number of Princeton applicants to access a secure Web site by which Yale informed its applicants of its admission decisions."
Princeton officials said they notified Yale officials of the incident at a May meeting of Ivy League admission officers. Yesterday, according to Princeton, Yale reported the incident to federal and state law enforcement officials.
Lisa Bull, spokeswoman for the FBI field office in New Haven, Conn., confirmed that the office has opened an investigation but refused further comment.
A spokesman for Yale in New Haven couldn't be reached for comment. Officials at Princeton, N.J.-based Princeton University said they wouldn't comment beyond their written statement.
The Princeton official has been identified as Stephen LeMenager, an associate dean of admissions, who acknowledged that he improperly accessed the Yale Web site, according to Marilyn Marks, a school spokeswoman. LeMenager, who began at Princeton as an admissions officer in 1983 and is second in command at the admissions office, couldn't be reached by telephone today. He was placed on administrative leave while the investigations continue.
Security and privacy experts said the incident provides lessons for both sides, as well as for all Web users. Most important, they said, was that both universities apparently should share the blame for this incident.
Eric Hemmendinger, an analyst at Boston-based Aberdeen Group Inc., said Yale was foolish for using easily obtained name and Social Security information to allow access to its admission status Web site. "This wasn't a question of if someone was going to do this, but when," Hemmendinger said. "It's not appropriate, but it was foreseeable."
The Rev. William Grogan, an ethicist and attorney at Loyola University in Chicago, said the combination of lax security by Yale and the "predatory ethics" at Princeton led to the incident. Many universities have unfortunately adopted the business maxim of "do whatever it takes to reach your goal," he said, even if it harms others. "That appears to be adopted in this academic culture," Grogan said.
Marc Rotenberg, executive director at the Washington-based Electronic Privacy Information Center, a privacy advocacy group, said the incident provides a stark reminder to always look at the potential downside of personal information that is posted online. "What the Princeton official did was probably wrong" and could even be illegal, Rotenberg said. "The Yale mistake was putting sensitive information online with weak access controls."
Jose Granado, a security specialist at New York-based accounting firm Ernst & Young LLP, said more accountability is needed before personal data is posted on the Internet. "These kinds of things are going to continue to happen in the future because of the amount of information online these days," said Granado, director of Ernst & Young's advanced security center in Houston.
Princeton hired Newark, N.J., attorney William Maderer to conduct an independent investigation. The university said that it "deeply regrets the improper acts that have taken place" and that it has pledged to cooperate with authorities investigating the incident. Computers and other equipment will be scoured as investigators work to determine who was involved and why the activity was undertaken.
The Web site activity by Princeton admission staff members was first reported yesterday by the Yale Daily News, Yale's undergraduate campus newspaper.

Read more about Security in Computerworld's Security Topic Center.