A university official confirmed the investigation Thursday after UI Chief Information Security Officer Jane Drews on Wednesday sent out a message notifying the campus that her department had warned about 250 faculty, staff, and students that their university IDs and passwords had been obtained by "unauthorized individuals."
According to that notification, the suspects obtained the account information by secretly attaching physical devices to university computers in classrooms and computer labs.
"The investigation shows someone attached unauthorized devices to university instructional computers to capture instructor IDs and passwords," according to UI spokeswoman Anne Bassett. "A few students appear to have then used the passwords to change their grades in select courses."
The university initially notified a half-dozen faculty members whose HawkIDs and passwords potentially were used to change grades, according to Bassett.
"Right now, it appears the unauthorized devices captured the username and password for approximately 250 university faculty members, staff, and students," Bassett said, adding, "Only five percent of those accounts were subsequently used by someone other than the account owner."
No evidence suggests the devices were used to access any records other than academic records, according to Bassett.
If the university determines students cheated, it will "take appropriate disciplinary action, which may include expulsion or suspension."
The university's information technology services unit is conducting a "physical examination of all instructional computers to search for any additional unauthorized devices." And officials continue to advise all UI community members to change their HawkID passwords -- if they haven't already done so.
Bassett said police also are involved, as this is an ongoing criminal and academic investigation.
In response to the breach, the university also is reminding employees to make sure their two-factor authentication -- a two-Step login process -- is enabled and properly configured.
To change your HawkID password, visit http://hawkid.uiowa.edu
To enroll a two-step login with duo security, visit https://its.uiowa.edu/two-step
Anyone wanting more information can contact the Information Technology Services Help Desk at (319) 384-4357 or its-helpdesk@uiowa.edu.
Anyone who suspects their HawkID account was used inappropriately can contact the Information Security & Policy Office at (319) 335-6332 or it-security@uiowa.edu.
©2017 The Gazette (Cedar Rapids, Iowa), distributed by Tribune Content Agency, LLC.