Skip to content
Naked Security Naked Security

College student arrested for allegedly hacking system to change grades

Was boosting a "B" up to an "A" really worth a potential jail sentence of up to 15 years?

An ex-college student is facing felony charges for allegedly hacking into the school’s computer system to change grades.

Chase Arthur Hughes, 19, was arrested last week and charged with allegedly raiding computers at Kennesaw State University, in Georgia, starting in May and continuing up through this month.

As Fox 5 reports, police say that during that time, Hughes used a professor’s account to access sensitive information, including employment history, credit, financial and medical information.

Hughes also allegedly scribbled down usernames and passwords of at least 36 faculty members in a notebook that police say they found in his home.

He’s accused of changing grades in two separate classes, reportedly changing some students’ grades from an “F” to “A” and another from a “C” to “A”. For himself, police say, he bumped up a “B” to an “A.”

According to WSB-TV in Atlanta, a professor realized something was up when he got an email from the university computer system about a grade change he didn’t make.

He alerted school officials, who then took the matter to police.

KSU interim CIO Lectra Lawhorne told police that the system worked as it should, sending alerts to professors about the grade changes. But following this intrusion, the college has added more measures to help detect unauthorized access in the future, Lawhorne said.

Hughes, formerly a business major with a concentration in finance, was enrolled at the university from fall 2015 to summer 2016.

He’s facing charges of computer trespassing, computer invasion of privacy, and computer forgery.

Criminal penalties for these crimes include up to $50,000 in fines and/or up to 15 years in prison.

11 Comments

“KSU interim CIO Lectra Lawhorne told police that the system worked as it should, sending alerts to professors about the grade changes”

What about intrusion alerts BEFORE they get into the grade system… the system DID NOT work, they just got lucky at the end that the notification system worked. If someone hacks into your email and steals all your tax info but you get a txt that someone is in your email, did the system work? Nope, you just got owned.

The reactive alerting system worked by making sure the change was noticed and investigated. Ideally a system would warn you of attacks that happen in the future, but we’re still working on fine tuning the pre-cogs to detect pre-crime.

you misunderstood my reply.

The notification was sent AFTER the grade was changed. So he was accessing the system without anyone knowing until he CHANGED something. This is a problem. Intrusion detection was not working or not implemented. The system was not properly protected. It’s great the notification was sent AFTER he already gained access and caused harm. If this was a system holding trade secrets or PII (something valuable) they would have copied it, left and no one would know until the data was leaked. This is a MAJOR issue and that is why they failed.

There was no intrusion as far as the system was concerned, he was using legitimate credentials which he obtained via some other method (social engineering, camera placed conveniently etc). Nice try though.

He used stolen credentials. There was nothing to alert about “BEFORE” the grade change. And even then it was within permissions of the teacher. The notification system worked perfectly as configured. How do you recommend to detecting this BEFORE there is any activity that is not standard, magic? Do you get a txt every time you log into your PC at work? neither does anyone else……
Now if Chase was guessing the password – there could be an alert of failed log in attempts (does not apply to this situation)
If he tried to hack into a server – Failed access alerts would be sent (does not apply to this situation)
Tried to create a new user – new user creation alerts (does not apply to this situation)
What if he loaded a key logger on the teachers PC, maybe AV would pick it up (does not apply to this situation)
Hmmm, lets review- Chase steals credentials, makes a system change that sets off an alert, student is caught. Looks like it worked great – crook nabbed, grades fixed. Maybe you have some magic that will turn back time and the tooth fairy will stop him from being a bad person? Just got owned? by who, the kid who got arrested, who has a criminal record, I think the kid got owned, and hard.

There is no mention of how he actually stole the credentials. Depending on how he did it, there might well have been numerous ways to detect this theft. Also, you could detect an “unusual” login, i.e. a login from a different computer, different IP, etc.

I feel bad that the professionals working at the university are less knowledgable than their students. Time for them to start hiring student interns! The CIO should spend less time complaining and install a IPS/WAF or find better programmers.

So this guy could get more time than the Stanford Rapist? And actually go to prison instead of jail?

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?