Several top US business schools yesterday said they have made no decision to reject the applications of prospective students who tried to peek at their confidential admissions files early Wednesday morning through a digital loophole discovered by a computer hacker.
While branding the snooping a serious breach of ethics, Harvard Business School, the Stanford Graduate School of Business, MIT's Sloan School of Management, and Duke University's Fuqua School of Business, all of which have recently introduced ethics courses, stopped short of saying they would void the applications of offenders.
Representatives of those business schools, however, indicated the hacking might cause them to look at applications in a different light.
Carnegie Mellon's Tepper School of Business in Pittsburgh was the only victimized business school to say explicitly yesterday that it will not admit any proven hacker. ''If we find that any applicant to Tepper School did hack into the website to access their information, we will deny their application," said Mike Laffin, spokesman for the school, which was notified that entry was attempted in the files of two applicants.
At Harvard, where hackers targeted 119 files, and at Stanford, where they targeted 41, yesterday's response was more muted. ''This incident casts the applications of these people in a new light," said Harvard spokesman Jim Aisner. ''No final decision will be made on these applications, however, until the March 30 notification date."
''The situation is still under consideration," said Helen Chang, a Stanford spokeswoman in Palo Alto, Calif. ''Based on the information we have now, we can't make any hard and fast policy."
Officials at MIT's Sloan School and at Dartmouth's Tuck School of Business said they were still investigating the incident.
Directions for hacking into the ApplyYourself website, used by many of the nation's elite business schools for their admissions, were posted on a BusinessWeek Online chat room after midnight Wednesday by a hacker who had managed to reverse engineer the site's software application.
By 9 a.m., hundreds of applicants from around the world sought to enter their files at Harvard, Stanford, Duke, Carnegie Mellon, MIT, Dartmouth, and other business schools.
At least some of the intruders at Harvard glimpsed preliminary decisions on their applications, though most files entered at Harvard and other schools were blank.
Nell Minow, who specializes in ethics and governance at the Corporate Library research firm in Washington, said the incident poses a test for business schools that have beefed up their ethics offerings in the aftermath of recent financial scandals.
''It's important not only that business schools teach ethics but also that they practice ethics," Minow said. ''I would reject all these applications, for this year at least, and really make it tough on those who reapply to show they've learned a lesson. I understand that they're young and are under a lot of pressure. But this is the same impulse that could lead to fooling around with financial reports or other ethical violations."
Some business school officials said their efforts to respond to the hacking are complicated by a potential legal consideration: While the electronic trail provided by ApplyYourself indicates the files hackers attempted to access, it does not prove definitively who did the hacking. If applicants were rejected specifically because of the hacking, some might challenge the rejection by claiming an overeager spouse or parent with access to their passwords had done the intruding.
That consideration might be why schools are broadly hinting they'll reject the applications without saying so outright, the officials suggested. And, in fact, there was discussion in BusinessWeek chat rooms yesterday about rejected applicants suing Harvard or other schools.
Margaret Andrews, executive director of MBA admissions at MIT's Sloan School, said 32 applicants were alleged to have tried to enter Sloan files, though none viewed any confidential data. ''Right now, we're still investigating," Andrews said. ''We want to act with all due speed, but we want to make sure we make the right decision."
Indeed, the language used by Jim Gray, associate dean at Duke's Fuqua School, where only one hacker unsuccessfully sought to access an admission file, was typical of that of those business schools that stopped just short of vowing to reject tainted applications.
''We're, of course, taking another look at this application," he said. ''No decision's been made, but obviously this is a black mark."
Robert Weisman can be reached at email@example.com.