NORMAN — Although it's difficult to say exactly how frequently such incidents happen, instances of unauthorized grade changing at universities are rare, a cyber security expert said.
No data exist that show the frequency of security breaches like the one University of Oklahoma officials say happened there recently, said Fred Cate, director of Indiana University's Center for Applied Cybersecurity Research. Still, Cate said he suspects grade-changing isn't a major issue at most universities.
OU student Roja Osman Hamad, 24, faces five counts of computer fraud after OU officials said he broke into the university's computer system and changed his grades.
Hamad, a former student employee in OU's information technology department, was charged in Cleveland County District Court on May 16. Hamad didn't respond to calls and emails seeking comment.
OU spokeswoman Catherine Bishop said the university hasn't prosecuted or expelled a student who changed grades since 1996, the earliest year for which information was available.
According to an affidavit, OU's IT department told OU police that Hamad used his access to the university's computer system to change six faculty members' passwords without their knowledge.
University officials told police Hamad then used the changed passwords to change his grades in the university's system and prevent faculty members from accessing the network, according to the affidavit.
An arrest warrant was issued May 16 for Hamad. He had not been arrested Thursday.
Bishop said university officials notified police as soon as they became aware of the matter. Hamad was also fired from his campus job, she said.
The university also made changes to its security system after the incident, Bishop said. She refused to give details about the changes, saying disclosing information could compromise the university's security system.
At any institution, employees are the most frequent source of security breaches, Cate said. Like Hamad, most employees have access to the institution's record-keeping system that most people wouldn't have.
Cate cited the case of National Security Agency whistle-blower Edward Snowden, who has admitted to leaking classified information to the Guardian and The Washington Post earlier this month. Snowden only had access to that information because he was an NSA employee.
“Insiders are probably the most frequent way that you get breaches,” he said.
In some ways, employees who hack into records can be easier for institutions to handle than outsiders who try to access records. If a university gives an employee access to the university's network, that employee's supervisors generally know what the employee is doing.
An institution can also levy stronger penalties against its own employees, Cate said. If the employee has signed a contract agreeing not to try to access certain information, it can be easier for the university to enforce that contract than to press charges against the employee.
Hamad's case may seem like a classic example of student misbehavior, Cate said — the title character in the 1986 film “Ferris Bueller's Day Off” does something similar. But Cate said he'd never heard of a student employee successfully breaking into a university's network to change grades.
But some students have been able to hack into schools' networks to change grades. Tyler Coyner, a University of Nevada student, was arrested in 2011 after police said students paid him to hack into his former high school's network to change their grades.
Generally, defending against an attack like the one OU officials say happened there involves preventing the attack from happening in the first place, detecting intrusions quickly, recovering quickly from any attacks that do happen and prosecuting attackers vigorously to deter other potential attackers.
Many universities already use recorder systems that make it easy to detect such attacks, Cate said. Also, he said, professors generally see their own students' transcripts periodically, and they would be likely to notice any grade changes, he said.
“I suspect grade changing is not a major issue at most universities,” he said. “I'm sure it goes on.”