HBS gets tough on ethics. Are they right?

Boston.com: Harvard rejects 119 accused of hacking. Following up the revelation that the third party company that manages online B-school apps got hacked, it looks like HBS (along with the Tepper School at Carnegie Mellon) is taking a hard line on admissions and blanket rejecting the 119 people whose admission files were hacked, while other B-schools (including Sloan) are taking a wait and see approach.

Does this mean that the other schools are soft on ethics? Maybe not, if the opposing perspectives in the article are correct:

Theoretically, at least, a hacker might have been a spouse or parent who had access to the password and personal identification numbers given to a business school applicant…

…[Cambridge Essay Service admissions consultant Sanford] Kreisberg said some applicants may had inadvertently tried to access the files, without realizing they were looking for confidential information, after they were e-mailed directions from other students who had copied them from the BusinessWeek message board.

It’s hard to tell from the articles, which don’t discuss the nature of the exploit. So let’s take a look. On the PowerYogi blog, the exact procedure used to do the hack is disclosed. Briefly, it appears that the hack relied (past tense, the info is no longer accessible) on a known URL that displays a dynamic page containing admission decision information, if any has been entered into the system. The parameters required to get the decision information are the applicant’s unique ID, apparently known as the AYID (or ApplyYourself ID) and a second ID number. The AYID is disclosed to the applicant on the URL for other pages that the applicant would normally visit. The second ID number can be discovered by viewing source on publicly accessible pages. Though the decision page is addressed via HTTPS, once you know the AYID and the secondary ID, you don’t need any other authentication information to access the page.

So the question is, could people have been tricked into looking at their records, as Kreisberg suggests? Answer: probably not. Following the directions to get the ID values should tip the applicant off that they’re going to see something they shouldn’t be seeing. And I don’t think it would be common for people to share out their user IDs and PINs for their online applications, so the odds of someone else checking your application status without your knowledge are pretty slim.

Bottom line: I think Sloan and the other business schools involved should take a hard line on its applicants’ files who were compromised as well.

And I think that all the schools involved should look at another vendor for online applications. ApplyYourself’s system doesn’t appear to meet even minimal standards for securing the sensitive information with which it is being entrusted. Hopefully Sloan CIO Al Essa is already looking closely at this situation.