Potential Admission Data Compromise
On March 7, 2019, Grinnell College became the victim of a cybersecurity incident that impacted information that is housed in our admissions database. We took immediate action to determine the nature and scope of the incident, and, more importantly, to determine the incident’s impact on Grinnell College’s students and community. Below is a brief summary and timeline of actions taken by Grinnell College:
- On March 7, 2019, immediately upon learning of the incident, we contacted appropriate authorities, including the Federal Bureau of Investigation. The cyberattack on Grinnell College information was the third in a string of three reported attacks on admissions-related information at U.S. colleges.
- On March 8, 2019, we notified students about the incident, explaining that admissions-related information may have been compromised.
- On March 11, 2019, we established a dedicated and confidential toll-free response line, which was available through June 24, 2019.
- On March 18, we communicated with the Grinnell College community that there is no evidence that financial data provided by students or their families, transcripts, or recommendations were compromised.
- On March 25, the College sent direct notice to any individual whose social security number was confirmed to be included in admission data system files that may have been accessed by an unauthorized individual. These findings were sent via regular U.S. Mail, and the College also sent an email notification to those individuals on March 27. Currently enrolled students were notified through campus email addresses as well.
As the investigation continued, we reminded applicants and students not to respond to telephone or email requests for personal information.
If you received a notice from the College that your social security number was confirmed to be in the files that may have been accessed by the unauthorized individual, the notice letter included recommendations for actions that you could take, including an offer for credit monitoring (for which the enrollment deadline is now passed). In addition, we provided direction for placing a fraud alert with one of the major three credit bureaus and/or requesting a security freeze be placed on your credit file, at no cost to you. Please see the FAQ below for more detailed instructions.
We have worked to provide an immediate, accurate, and thoughtful response to all who have been impacted. We are taking significant measures and working with external cybersecurity professionals to protect information and prevent recurrence of a similar issue in the future.
Admission Data FAQs
- What happened?
- What information was involved?
- What are you doing as a result of this incident?
- What can I do to protect myself?
- How do I place a fraud alert on my credit report?
- How do I place a security freeze on my credit files and how much does it cost?
- When will you have more information about the impact of this incident?
On March 7, 2019, we were made aware of suspicious activity in our admission database. We immediately closed access to our database, notified the FBI, and launched an investigation. We determined that some admission data may have been accessed by an unknown party. On March 25, the College sent a direct notice to individuals whose personal information was confirmed to have been included in the potentially accessed files. The investigation is ongoing, and we will provide follow-up notification as appropriate.
Components of inquiry and/or admission files, including email addresses and contact information, may have been accessed. However, we have no evidence at this time that this incident has included financial information provided by students or parents on financial aid applications, application essays, letters of recommendations, or transcripts.
On March 25, the College sent direct notice of the incident to any individual whose personal information was confirmed to be in the files that may have been accessed by the unauthorized individual. These findings were sent via regular U.S. Mail, and the College sent an e-mail notification on March 27 as well.
We are committed to maintaining the privacy of personal information and have taken additional precautions to safeguard it. We continually evaluate and modify our practices to enhance the security and privacy of personal information.
Please be wary of suspicious emails or requests in general, but particularly any with questionable content (e.g., those that demand payment for your decision or application information). In addition, you should always review your financial account statements on a regular basis for fraudulent or irregular activity. You may consider ordering a free credit report and placing a fraud alert and/or security freeze on your credit file.
If you received a notice from the College that your personal information was confirmed to be in the files that may have been accessed by the unauthorized individual, the notice letter includes recommendations for actions that you can take, including credit monitoring. The enrollment deadline for free credit monitoring is now passed.
In order to place a fraud alert, you can call any one of the three major credit bureaus (as soon as one credit bureau confirms your fraud alert, they will notify the others to place fraud alerts). Alternatively, you may file the fraud alert online.
If you are very concerned about becoming a victim of fraud or identity theft, you may request a “security freeze” be placed on your credit file, at no cost to you. A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by sending a request in writing, by mail, to all three nationwide credit reporting companies. To find out more on how to place a security freeze, you can use the following contact information
In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security Number, and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.
If your personal information has been used to file a false tax return, to open an account or to attempt to open an account in your name, or to commit fraud or other crimes against you, you may file a police report in the city in which you currently reside.
Our investigation into this incident to determine the specifics of any data that may have been compromised is ongoing. On March 25, the College sent direct notice of the incident to any individual whose personal information was confirmed to be in the files that may have been accessed by the unauthorized individual. We will provide follow-up notification as appropriate.