A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students’ grades, police said.
UC Police Dept. arrested Nancy Ramirez, 21, on March 28 and charged her with two felony counts of illegal access into a computer system and two felony counts of identity theft, said Stg. Mark Signa, UCPD public information officer. Ramirez, a native of Los Angeles, was booked into the Santa Barbara County Jail where her bail was set at $25,000, Signa said. She is currently out on bail, and her roommate, whose name has not been released by police, is currently considered an additional suspect in the case, Signa said.
The grade changes Ramirez allegedly made have been removed and the original grades of the students affected have been restored, said Kevin Schmidt, campus network programmer for the Office of Information Technology. Schmidt declined to say how many students’ grades were changed, but he said a very small number of students were affected.
“It’s not like 300 grades were changed or anything like that,” he said. “It’s not even close.”
Both Ramirez and her roommate’s cases have been forwarded to the SB District Attorney’s Office, but UCPD is still actively investigating the incident to see if any other people were involved, Signa said.
Police, university officials and campus computer specialists said Ramirez’s alleged illegal access to the computer grading system was not the result of a deficiency or flaw in the program.
“An important distinction in this case, compared to some other instances you’ve seen reported on around the country, the integrity and security of our grading system is intact and was not compromised,” said Paul Desruisseaux, UCSB assistant vice chancellor of public affairs.
The person guilty of changing the grades fraudulently obtained passwords using personal information of faculty members who have access to the grading system, Desruisseaux said.
The university’s grading system, eGrades, is an in-house program that professors can access via the Internet to submit and alter students’ grades. eGrades uses UCSB NetID, a campuswide authentication system, to check a user’s identity. If a user forgets their password, they can reset it by entering their Social Security number and date of birth, Schmidt said.
Signa said Ramirez worked for the Goleta branch of Allstate Insurance, where she had access to the personal information of two UCSB professors who were insured with the company. Ramirez reset their passwords using private information she obtained from her job, Signa said.
“It’s believed at this time that [Ramirez] accessed the computer system from her house,” Signa said. “There is also a second indication that the computer was accessed at one point from the office where she worked, so its believed [she used eGrades at] both locations.”
Both UCPD and the university declined to release the names of the two professors or which classes they teach because of the ongoing investigation.
Ramirez, who could not be reached for comment after repeated phone calls Tuesday evening, changed her grade in one class from a B to an A, Signa said. She also altered the grades of her roommate from an F to a B+ in one class and from a B to an A+ in another class, Signa said. Further details about other changes Ramirez made were not available at press time.
The university has not decided what, if any, punishment Ramirez could face from UCSB if she is convicted, Desruisseaux said.
“This is a criminal matter, so it has to be dealt with at a criminal level,” Desruisseaux said. “Obviously this is a very serious issue, so we’ll have to see what happens with the courts and how the charges are disposed of in this case.”
Computer specialists noticed irregularities in the grading system on March 16, during the middle of last quarter’s finals week, Schmidt said. When a grade is altered, a feedback system is automatically triggered to inform professors and the Registrar’s Office of the changes.
“There’s basically a feedback mechanism, and ultimately, it comes back to the feedback mechanism and the individual department trying to reconcile grades and saying ‘It doesn’t look like this is correct and how can this happen?'” Schmidt said. “That turned into another investigation that went toward the Registrar’s Office making an inquiry.”
The university informed UCPD of the possible illegal computer activity on March 18, according to a UCPD press statement. The activity was traced to Cox Communications, an Internet Service Provider, and the Goleta branch of Allstate Insurance.
Both companies cooperated with police and provided computer usage records, which led police to an apartment on the 6600 block of Trigo Road, Signa said.
UCPD also found that a resident living at the apartment, Ramirez, was an employee at Allstate Insurance in Goleta. Police served a search warrant at Ramirez’s residence on March 28, where they seized a laptop computer and a desktop computer, Signa said.
During questioning, Ramirez said she gathered the personal information of the professors from her job and used it to change her grades, as well as the grades of several other students, according to the statement.
In many cases of identity theft, the culprit would try to spoof, or fake, their Internet Protocol (IP) address, the numbering scheme that identifies computers connected to the Internet. The technique makes it difficult for authorities to locate the origin of an identity theft.
When Ramirez allegedly accessed eGrades, there was no attempt to mask or hide the location from which she entered the system, Schmidt said. Although she didn’t try to hide her IP address, Schmidt said her understanding how the UCSB NetID authentication system worked and how it related to the eGrades system required some technical savvy.
“Knowing what information you need in order to do the password reset and gathering that information and then going and submitting the grade changes — you don’t just trip and accidentally fall into that,” Schmidt said. “That requires some specific planning and effort to do that.”
Schmidt said although eGrades is accessible through the Internet, there are security precautions that protect it from unauthorized usage.
“You have to use an encrypted web browser connection, so if you know that as the geeky https, you have to use an https connection, so that provides the real protection to it,” Schmidt said.
The https protocol encrypts data sent between a user’s computer and the system they are connected to.
Even though a person was able to submit grade changes, eGrades’ other security mechanism performed well during the incident and its record keeping allowed the changes to be easily rolled back, Schmidt said. Its record keeping also allowed computer technicians and police to quickly discover the origin of the grade changes, he said.
“You build in everything you possibly can, you try to make sure all of the bases are covered and then you still prepare in case somehow, something does happen,” Schmidt said. “You be ready to follow up if the worst happens — not to say that this is the worse because it’s clearly not. This is all recoverable.”