Security Breach Investigation Leads Down Trail of Grade Tampering at University of Iowa

Evidence points to unauthorized devices that captured users' IDs and passwords.

by Vanessa Miller, The Gazette, Cedar Rapids, Iowa / January 23, 2017 0
Cybersecurity research and education just got a big boost at Columbus State University. Nate Grigg via Flickr CC 2.0 Wikimedia Commons

(TNS) — IOWA CITY, Iowa — The University of Iowa is investigating a "handful" of possible cases of cheating -- and warning the entire campus community to change their HawkID passwords — after a faculty member discovered a student's grade had been changed without authorization.

A university official confirmed the investigation Thursday after UI Chief Information Security Officer Jane Drews on Wednesday sent out a message notifying the campus that her department had warned about 250 faculty, staff, and students that their university IDs and passwords had been obtained by "unauthorized individuals."

According to that notification, the suspects obtained the account information by secretly attaching physical devices to university computers in classrooms and computer labs.

"The investigation shows someone attached unauthorized devices to university instructional computers to capture instructor IDs and passwords," according to UI spokeswoman Anne Bassett. "A few students appear to have then used the passwords to change their grades in select courses."

The university initially notified a half-dozen faculty members whose HawkIDs and passwords potentially were used to change grades, according to Bassett.

"Right now, it appears the unauthorized devices captured the username and password for approximately 250 university faculty members, staff, and students," Bassett said, adding, "Only five percent of those accounts were subsequently used by someone other than the account owner."

No evidence suggests the devices were used to access any records other than academic records, according to Bassett.

If the university determines students cheated, it will "take appropriate disciplinary action, which may include expulsion or suspension."

The university's information technology services unit is conducting a "physical examination of all instructional computers to search for any additional unauthorized devices." And officials continue to advise all UI community members to change their HawkID passwords -- if they haven't already done so.

Bassett said police also are involved, as this is an ongoing criminal and academic investigation.

In response to the breach, the university also is reminding employees to make sure their two-factor authentication -- a two-Step login process -- is enabled and properly configured.

To change your HawkID password, visit http://hawkid.uiowa.edu

To enroll a two-step login with duo security, visit https://its.uiowa.edu/two-step

Anyone wanting more information can contact the Information Technology Services Help Desk at (319) 384-4357 or its-helpdesk@uiowa.edu.

Anyone who suspects their HawkID account was used inappropriately can contact the Information Security & Policy Office at (319) 335-6332 or it-security@uiowa.edu.

©2017 The Gazette (Cedar Rapids, Iowa), distributed by Tribune Content Agency, LLC.