Princeton removes LeMenager from admission office for violations

Aug. 13— The University has removed Steve LeMenager, the first Princeton University official who breached Yale University's admission notification Web site, from the admission office, President Tilghman said today. However, Tilghman does not plan to expel any employee involved in the breach, including LeMenager, who will relocate to another office.

After a nearly three-week internal investigation, Tilghman today gave the University's first public explanation for the recent events that garnered a national audience and led to speculation about increasing competition for top applicants at exclusive universities.

Longtime Admission Dean Fred Hargadon, who had knowledge of the unauthorized accesses into the Yale Web site but did nothing about them, will retire in June, Tilghman said. Until then, he will run daily operations at the office.

Other admission officers have been disciplined for what she called "violations of basic ethical principles of privacy and confidentiality." She would not say what the disciplinary actions included.

LeMenager, who was associate dean and director of admission, was suspended from his position with pay when the investigation began. He will return to the University in the Office of Communications until the University finds another position for him. Tilghman said his salary would remain the same.

Yale President Richard Levin commended the University for how it handled the investigation.

"I am impressed by the thoroughness of Princeton's internal investigation and confident that all concerned now recognize the importance of protecting the privacy of college applicants," he said in a statement.

No applicant has said he would sue Princeton or Yale, officials at both universities said. The F.B.I. and the U.S. attorney's office in Connecticut are continuing their investigations, though both said they would not comment. Tilghman said the University is cooperating fully with authorities.

Hargadon — who learned from LeMenager of the first security breach shortly after it occurred — accepted responsibility for the members of the 30-person staff who accessed the site.

"As Princeton's Dean of Admission, I am ultimately responsible for the manner in which we conduct the University's admissions process and the manner in which all members of the admission office staff conduct themselves in the course of that process," he said in a statement.

Tilghman said Hargadon planned to retire at the end of the academic year regardless of the security incident.

The University also confirmed today that there were 18 visits from computers at the University, four of which occurred outside of the admission office. The remaining 14 accesses originated in the admission office between April 3 and April 15.

Get the best of the ‘Prince’ delivered straight to your inbox. Subscribe now »

On April 3 LeMenager — who was considering a similar notification site for the University — visited the Yale site, Tilghman said. To access restricted parts of the Yale site, he used the name, birth date and social security number of a Princeton applicant he thought probably also applied to Yale.

LeMenager expected the site to require a password, but he was surprised he could access the site immediately, Tilghman said. LeMenager informed Hargadon and other admission staff and demonstrated his discovery for them three times, Tilghman said.

Without informing Hargadon and LeMenager, other members of the staff accessed the Yale site the same way, Tilghman said. The motive for these visits was "simple curiosity," she said. In addition, she said some of the records belonged to applicants whom the University had rejected.

Another access occurred April 5 from one of the same computers used on April 3. An admission staff member who wanted to see the site first-hand made a final visit to the Yale site on April 15, Tilghman said.

Yale first learned of the security breach one month later at a May 15 Ivy League admission deans conference. LeMenager informed a Yale admission dean of his site visits during an open discussion at the meeting, which was held at the University of Pennsylvania's Houston Hall. Ten to 12 people attended.

The attendees, including the Yale officials, had "no strong reaction" to the news that LeMenager had accessed the site, said Michael Goldberger, who represented Brown University at the meeting. He described the meeting as an ordinary collegial conversation among deans.

"Every school was offering information about how they handle the documents," Goldberger said.

Hargadon was not present at the May meeting, two attendees said.

Though Yale initially learned of the visits at this May meeting, they did not contact Princeton officials or government authorities until late July.

"It was an off-hand comment, and we took it seriously," Yale spokesperson Helaine Klasky said, though at a California deans conference on financing college educations held in June, neither Yale nor Princeton spoke publicly of the matter.

Yale subsequently conducted an internal investigation and completed a preliminary confidential report on June 20. After about two months of internal deliberation, Yale's Levin informed Tilghman on July 24 that Princeton officials had accessed the Yale site and that Yale would be contacting government authorities. Yale waited for several months before disclosing its findings because the university wanted to have "thoroughly scrubbed" its internal report before contacting Tilghman, Klasky said.

"Yale really wanted to make sure that they had all the facts before contacting anyone," Klasky said. "While I agree that [LeMenager had accessed the Yale site] wasn't really rumor, people say all sorts of things, and we felt a need to both determine the magnitude of the potential problem and then to try to figure out if there were possibly any other incidences of it."

William Maderer, a former federal prosecutor, was the University's principal investigator. He performed a forensic analysis of computer hardware in the admission office and conducted interviews at both universities.

Reports have indicated that the records of Lauren Bush, the niece of President Bush, and Ara Parseghian, the grandson of the famed Notre Dame football coach, were among those accessed. Both applicants are listed as members of the Class of 2006 in the University's online directory. A total of four applicants whose records were accessed have decided to attend Princeton, Klasky said.

The University of Pennsylvania chose this year to use a personal identification password unique to both that university and the applicant for its online notification site. With such a system, LeMenager or others who had access to applicant data would not have been able to access the site's confidential records.

Because it set up a site with easily obtainable information, Yale should share in the blame for the unauthorized accesses, said Georgetown University law professor Neal Katyal, who is a graduate of Yale Law School. He emphasized, however, that most of blame rests with LeMenager and those who accessed the Yale site from Princeton.

"Yale University didn't take the appropriate steps to safeguard private data because it used common identifiers, such as security number and date of birth — identifiers that are available to malicious hackers as well as people with authorization, such as other officers at other schools," he said. "[It's] just like if you leave the keys to your friend's house under her doormat, and a robber comes and steals it . . . The robber is primarily the culprit, but you also acted foolish."

Thomas Conroy, a Yale spokesman, declined to say whether Yale would accept any responsibility for the breaches of privacy, noting only that the school would improve its security next year.

The search for a new dean of admission to replace Hargadon will begin in the fall.

Internal security in question

The unauthorized access of the Yale web site heightened concerns about network security on campus. Tilghman said the University intends to hire an information technology security officer in the near future. Earlier this year, the University of Pennsylvania was the first Ivy League institution to appoint a privacy officer. Tilghman also said the University will "undertake a thorough assessment" of all its privacy and security policies.

However, many user accounts at the University may be currently susceptible to unauthorized accesses, much in the same way that the Yale site was. The default password for each of the University's three main systems — the e-mail, UNIX and Window NT systems — is the last eight digits of the user's social security number. Social security numbers can be obtained through various means on campus: they are listed on several campus forms and can be used in place of an identification card in Frist Campus Center and dining halls.

With a user's social security number, an unauthorized individual could potentially access the user's online academic records and e-mail, if the user had not changed all three system passwords.

The University would not comment on how many students change their passwords, or whether students know of all three systems, but has acknowledged the security issue and is considering changes to the system.

Dan Oberst, an Office of Information Technology representative, said the University is working to overcome these security concerns.

"We are working on a plan to avoid any passwords passing over the wire unencrypted and other measures to increase security that are independent of what the initial password setting is," he said. "We are also working on a way of insuring that users change their default initial password, which is part of good computer security. We would hope to implement many of these changes over the next year."

However, he said the key will be to find applications which conform to new increased standards or find a way to support students who cannot change their systems for good reasons. Silla Brush may be reached at sbrush@princeton.edu. Zachary Goldfarb may be reached at zag@princeton.edu. Editor's Note: This breaking story was appended to the May 17th issue of The Daily Princetonian's online edition at 10:36 PM on August 13th. It was revised and republished at 10:08 AM on August 14th.