FAQ Compromised Data Issue

Oberlin College was recently the victim of a targeted attack that resulted in unauthorized access to personal information. The data compromised was limited to an Office of Admissions database hosted by a third-party vendor.

1. How did this data breach occur?
A third party exploited a heretofore unknown vulnerability in Oberlin’s self-service password application, gaining access to the database used by the Office of Admissions. The application was immediately disabled, the vendor was immediately notified and the flaw was repaired within hours of detection. Based on a preliminary investigation, it appears that this was a coordinated and targeted attack that affected at least two other institutions. 

2. Who has been impacted?
The impacted database contains information on prospective students and applicants interested in enrolling at Oberlin for fall 2014 or beyond, which includes most current students. A limited number of those records were accessed. Students enrolling or applying to Oberlin for fall 2013 or earlier are not affected by this data breach. Personal information for faculty and staff was not compromised.

3. What data has been compromised?
This incident compromised personal identifying and demographic information for a limited number of prospective students and applicants. Impacted data may include name, address, birthdate, email, and other admissions data. Social security numbers may have been compromised for accepted students who initiated the new student registration process for enrollment at Oberlin for the fall 2014 through fall 2018 semesters. Social security numbers are not at risk for any other populations, including students who have already accepted admission for fall 2019.

4. Was my financial aid information affected?
No. There is no evidence that information collected for the purpose of awarding financial aid was compromised.

5. How do I know what information of mine was accessed? 
You’ll be notified by Oberlin College if your information was accessed and what that entails. We are continuing to investigate the scope of the information accessed. 

6. What was Oberlin’s response to the attack?
Oberlin caught this attack very quickly and took swift and decisive action. All elements of this attack were immediately addressed, from remediation of the initial intrusion, to root cause analysis, to thorough evaluation of the integrity of other systems, to timely, comprehensive, and transparent communication to the community.

7. What is Oberlin College doing to address data security?
Oberlin College is committed to maintaining a secure computing environment and preserving the confidentiality of our electronic information. As part of this commitment, we will continue to review and improve our security procedures to ensure that sensitive and confidential data is protected. We deeply regret that this situation has occurred and are aware of how important your personal information is to you.

8. What steps can I take to monitor my personal data?
Free credit monitoring services will be provided to those affected. Information on how to enroll in this service will be available next week. Additionally, you may want to protect yourself by contacting one of three companies below to place a fraud alert on your credit report.

• Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
• Experian: 1-888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
• Transunion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

9. Will I receive further correspondence on this matter? How will I know it is from Oberlin College?
We are committed to keeping the community informed as new or updated information becomes available. If you are unsure about communications you receive regarding this issue, please email dataresponse@oberlin.edu or call 440-775-8755 to verify the correspondence. 

10. How can I be assured that you are taking steps to protect my information in the future? 
Oberlin College adheres to a variety of federal and state regulations regarding the protection of personally identifiable information. We recognize the importance of robust and regularly reviewed policies and have protocol in place to review existing policies and to establish new policies.

11. I am the parent of a student who was notified about the data breach, was my social security number or other data compromised?
No parent social security numbers were compromised. Some limited parent data including name and contact information may have been exposed.

12.  Was my credit card data compromised?
No, the affected database does not contain any credit card information.

13. I'm a current applicant, do I need to resubmit any of my materials?
No, this incident will not affect the review of your application.

14. I have additional questions. Who can I contact?
If you have questions or would like to talk to someone directly about this situation, please contact us by email at dataresponse@oberlin.edu or call 440-775-8755.