Two former Fresno State students were indicted by a federal grand jury in connection with hacking into the university’s computer system and changing their grades in the spring 2005 semester, according to an e-mail sent to university faculty and staff on Oct. 31.
A small number of students were found to have made unauthorized changes to their own grades and the grades of a few other students, according to Provost and Vice President of Student Affairs Jeronima Echeverria, who wrote the e-mail. The students accused of making the grade changes were employees, and are believed to have abused knowledge about the university’s computer systems they gained through their work assignments. Between March and September 2005, the university responded by devoting about 800 hours in investigative and audit efforts, according to the memorandum.
Two of the former students, John Escalera, 29, of Fresno and Gustavo Razo Jr., 28, of Pasadena, have been indicted for their actions. According to a statement by the U.S. Attorney’s Office, Escalera worked for the university, changing his grades and the grades of his friend, Razo, who paid Escalera.
The audit recommended several improved controls while assuring and that all of the affected grades were changed back to the original grade, Echeverria wrote.
All students involved were given due process through the universityâ€™s judicial affairs procedures. Each received disciplinary sanctions based on the evidence and the extent of their participation. Their offenses ranged from accepting the grade change to abusing their access by making the inappropriate changes. The university sanctions included expulsions, suspensions and loss of diploma.
Because some of the participants were found to have engaged in potential criminal violations, the discovery was referred to the Federal Bureau of Investigation and subsequently to the U.S. Attorney’s Office for prosecution. Until the criminal investigation was completed, the university was asked not to inform the academic community.
According to the memorandum, the “improved controls” recommended by the audit were as follows:
1. Requiring the registrar to periodically review a report of all non-routine grade changes, and increase the review of grade changes processed on a daily basis.
2. Requiring Admissions, Records & Evaluations (ARE) and Campus Information Systems (CIS) to conduct periodic reviews of their records and terminate access to grade change and enrollment information by employees whose daily job duties do not require such access.
3. Developing a methodology for periodic reviews of security logs to test whether changes in access are based on valid, properly authorized requests.
4. Refining and upgrading system security, as recommended by ITS and CIS.
5. Developing an automated routine to notify faculty by email when a grade change has been posted to a studentâ€™s transcript.
6. Reissuing a strengthened grade correction form and requiring that the forms be securely stored.
7. Requiring staff members who have delegated registrar functions to sign a formal statement of understanding that acknowledges their special responsibilities and their receipt of training with respect to their delegated powers.