High schooler hacks his way to a higher GPA

You’d think students smart enough to hack into their school’s IT system and change their grades wouldn’t need to hack into their school’s IT system and change their grades.

But, of course, smarts don’t automatically mean good grades. And in the hyper-competitive world of elite college admissions, good grades are frequently not good enough.

In this latest student hack, a 16-year-old senior at Tenafly High School, New Jersey, is being charged in juvenile court for allegedly breaching the school’s system, raising several of his grades (which then raised his overall GPA) and sending out college applications with the doctored transcripts.

The student isn’t being named, but NorthJersey.com reported that school officials discovered the breach, suspended the student and rescinded the transcripts.

And the incident also launched another discussion about the pressure to succeed.

Ashley Kipiani, who has tutored high school students for more than 15 years, told NorthJersey.com that the pressure to cheat, “is higher today as students aspire for a perfect grade point average, AP credits and a ticket into a top college.”

Given those incentives, it should not be a surprise that Tenafly is just one of many high schools and colleges targeted by students looking to hike their grades. Recent years are littered with similar stories:

• The FBI arrested Trevor Graves, 22, a former University of Iowa wrestler, at the end of October and charged him with planting hardware keyloggers on several school computers. He allegedly compromised the information of 250 students, faculty and staff and changed his grades more than 90 times between March 2015 and November 2016.
• Chase Arthur Hughes, 19, was arrested in September 2016, after allegedly using a professor’s account to access sensitive information, including employment history, credit, financial and medical information. He was accused of changing grades in two separate classes at Kennesaw State University, including bumping some students’ grades from an “F” to “A” and another from a “C” to “A”. For himself, police say, he changed his from a “B” to an “A.”
• Roy Sun was sentenced to three months in jail in March 2014 after he was convicted of altering his grades – some from an F to an A – while he was a senior at Purdue University. Authorities said he and an accomplice, Mitsutoshi Shirasaki, broke into professors’ offices, installed keyloggers and then waited to hack into the university computer system until 10 minutes before professors’ deadline to submit their grades for the semester.

There are other past examples, of course, and there will surely be more. Business Insider reported in August that students don’t even have to do the hacking themselves.

(They) can access the Dark Web to hire a hacker to change their grades, attack their school’s network with a DDoS, buy drugs and more.

Still, one could argue that these hackers weren’t all that smart if they didn’t know enough to cover their tracks well enough to avoid being caught. In the Purdue case, authorities said the hackers changed professors’ passwords, failed to mask their IP addresses and weren’t “subtle” about the grade changes.

A large part of the problem, school and university officials have been admitting for years, is that academic systems are designed to be open, and are therefore less secure. At a 2014 SANS Security Leadership Summit in Boston, a panel of higher education IT officials said they try to keep things “reasonably safe,” but can’t be “dictators” about security.

Fitchburg State University information security officer (ISO) Sherry Horeanopoulos:

We work in an environment that is designed to be wide open and unguarded. Professors and students need access to resources that span the globe. So how do you take a top-down approach in a bottom-up environment?

Of course, it would help a lot simply to use basic security hygiene. In the case of the University of Iowa hack, the school didn’t use two-factor authentication (2FA) for its student management system, so the login credentials allowed Graves access to teachers’ accounts.

Indeed, using 2FA is no more “dictatorial” than locking office doors. It’s simple prudence.