Harvard applicants breached security

For at least two hours after midnight Wednesday, a computer hacker enabled applicants to the Harvard Business School to find out whether they'd been accepted, weeks before Harvard planned to release the news.

According to Harvard, more than 100 would-be graduate students took advantage of the digital loophole, and some of them glimpsed preliminary decisions on their applications. The loophole affected other schools, including the Sloan School of Management at the Massachusetts Institute of Technology and business schools at Stanford, Duke, Carnegie Mellon, and other universities. But officials at Stanford and MIT said none of their admissions decisions had yet been posted to their sites.

In a security breach at ApplyYourself Inc., the Fairfax, Va. company that runs the admissions computer systems for the business schools and 400 other colleges and universities, a hacker found a way to let applicants peek at confidential admissions data. ''This is the first incident of this kind," said Len Metheny, the chief executive of ApplyYourself. ''Once we learned about it, within literally 2½ hours, we had made appropriate adjustments to the system. . . . We still remain confident that it's a secure system."

But Steven Nelson, the executive director of Harvard's MBA program, said their admissions data were vulnerable for nine hours, during which 119 applicants from countries around the world tried to get at their admissions status.

''In the vast majority of cases, people just got blank screens," Nelson said. ''But in some cases people got some decision information that was not final." Admissions decisions are not finalized until just before they are sent out, he said.

Nelson would not say whether Harvard had the names of the applicant hackers, whether they would be removed from the applicant pool or what other action would be considered against them. ''It's a matter we're taking very seriously," Nelson said last night. ''We view hacking into the system as unethical and a breach of the trust we expect of potential leaders."

MIT spokesman Paul Denning said that intruders at the Sloan School's site left empty-handed. ''We didn't have any information on the site, so there was nothing for them to see," Denning said.

Derrick Bolton, director of MBA admissions at the Stanford Graduate School of Business, said the school's operations department was alerted to the hacking by ApplyYourself. Bolton said he didn't know how many Stanford applicants had sought to access their files, but he said the school had not posted any preliminary decision information.

''It's an unfortunate situation," Bolton said. ''I understand the pressure they (applicants) feel. It's certainly not something we condone. But, on the other hand, I understand the temptation."

Bolton said Stanford officials would be looking into what action, if any, to take against the hackers. ''One of the things we try to teach at business schools is making good decisions and taking responsibility for your actions," he noted.

Metheny said that ApplyYourself could supply information to the schools to help them identify applicants who breached the system. But he added that the software should have provided enough information to the schools to let them identify the culprits themselves.

Harvard's business school sent an e-mail to all applicants on Wednesday assuring them that their personal information remained secure. It also said no admissions decisions are final until Harvard reveals them officially. There are three rounds of business school admissions at Harvard. The first batch of admissions was revealed Jan. 19, and the remaining places will be filled on March 30 and May 11.

News of the break-in first appeared yesterday in the Harvard campus newspaper, The Harvard Crimson. An anonymous data thief using the nickname ''brookbond" posted instructions on how to crack the ApplyYourself computer system shortly after midnight Wednesday on an Internet bulletin board run by BusinessWeek magazine. ''There was a student who through essentially reverse engineering, had figured out how to access a secured page," Metheny said.

Metheny said that the breach would also have allowed an intruder to access admissions decisions for undergraduate schools using the ApplyYourself system. But no attempts were made to gain access to such data. Metheny believes this was because word of the breach was published on BusinessWeek Online, a website frequently visited by business school students and applicants.

Applicants could only look up data about themselves. ''It did not allow access to anyone else's data," he said. Metheny said the company found out about the problem when a student contacted the help desk early Wednesday to warn that the system had been compromised. Metheny said that ApplyYourself technicians closed the breach about 2½ hours later.

It's unclear whether BusinessWeek's bulletin board system captured enough information about ''brookbond" to allow investigators to identify him. If the site recorded his digital Internet address, this could be traced back to an individual computer. Metheny said that his company has discussed the bulletin board posting with BusinessWeek officials, but added that ApplyYourself has made no formal request for computer logs that could help identify the culprit.

Hiawatha Bray can be reached at bray@globe.com. Robert Weisman at weisman@globe.com