Professor: KU student expelled for hacking, changing grades online

Posted at 9:44 PM, Oct 12, 2017
and last updated 2017-10-12 23:48:53-04

LAWRENCE, Kan. ? A University of Kansas student has been expelled from the school after changing his grades using information he obtained from a keystroke logger.

Aerospace engineering professor Ron Barrett-Gonzalez said faculty were told in a meeting two weeks ago that the incident happened during the last spring semester in a freshman math class.

Barrett-Gonzalez said the school reported that the student plugged a keystroke logger into the back of a lecture hall computer and was eventually able to log into the grading system using the information the device recorded.

The student then allegedly changed his F grades to A grades.

"This goes beyond the naughty little boy who snuck into his professor's office in the middle of the night and pulled the exam paper out," Barrett-Gonzalez explained. "It's a form of betrayal that goes beyond the norm."

Keystroke loggers continue to be a tool used by businesses for employee monitoring.

However, multiple computer experts told 41 Action News they can also be used for spying and cyber crimes.

The devices look similar to flash drives and can be purchased for as little as $25 on sites like Amazon and eBay.

After hearing the details of the cheating incident, Barrett-Gonzalez worried about similar incidents happening at other schools.

"If KU faculty are vulnerable to this then so are Penn Valley, Ottawa, Baker and Johnson County Community College," he explained. "All of the faculty members across the country are vulnerable to this sort of IT breach."

Barrett-Gonzalez voiced concern that potentially finding similar incidents at KU could end up having far-reaching impacts.

"It adversely impacts the integrity of our grading system. The student was caught basically because he got greedy," he explained. "When the integrity of the grading system at any institution is threatened, then it also threatens accreditation. It's absolutely imperative the administration get a handle on it and quickly."

The incident put personal information possibly at risk, and Barrett-Gonzalez said a similar incident could be far worse.

"If you have these login password numbers, you can have access to the Human Resources system," he explained. "From that, you can steal identities. You can reroute bank deposits. It would be the same thing as if somebody logged in to a computer with your passwords. That's the same level of vulnerability."

With similar schemes tough to detect, the professor worried about keystroke loggers being used at other universities and high schools.

"Had the student changed the grade from a C to a C+ or a C to a B, that would have been very difficult to find," he explained. "If college students will do it so will high schoolers."

On Thursday, Barrett-Gonzalez remained frustrated at how the school didn't let professors know of the incident until a meeting held two weeks ago.

"It's absolutely imperative that we are told quickly so we can try to mitigate it," he explained. "The appropriate response would be to at least inform all of the teaching faculty, staff and the graduate teaching assistants."

The computer experts said users can avoid being a victim of identity theft by doing the following:

  • Updating passwords throughout the year and using different passwords for important websites
  • Being cautious of entering personal information on public computers
  • Making sure your antivirus protection is up to date

Moving forward, Barrett-Gonzalez hoped KU would pursue felony charges against the student to make sure another similar incident doesn't happen again.

"It's a new threat that we need to recognize and face head on," he explained. "If the administration would press felony charges, it would send the message that for anybody who wants to do this it is a very serious matter."

41 Action News contacted the University of Kansas public affairs office for comment on this story but did not receive a statement.