Inside Tufts University’s grade-hacking case

Each week, Extra Crunch members have access to conference calls moderated by the TechCrunch writers you read every day. This week, security reporter Zack Whittaker discussed his exclusive report about Tufts University veterinary student Tiffany Filler who was expelled on charges she hacked her grades. Being Canadian and therefore in the U.S. on a student visa, she had to immediately leave the country.

From the transcript:

Firstly, given the legal risks, the potential public relations nightmare, and the ethics behind what looked like a failed due process, why didn’t Tufts hire a third-party forensics team to investigate the incident, especially given the nature of the allegations?

Secondly, how did Tufts decide that the student was to blame for these hacks? Attribution for any hack or cyber attack is often difficult, if not impossible. And the school’s IT department showed no evidence it was qualified to investigate the source of the breaches and demonstrates a clear lack of forensics, given the conclusions it came to, according to a forensics expert we spoke to.

This was definitely one of the toughest stories I’ve had to report in years, in the last seven or eight years, covering cybersecurity, national security. Those are rare for security reporters to focus on a single person for the reporting. Typically I write about data breaches or vulnerabilities or hacks that affect thousands, if not millions, of users around the world.

But this story was far too interesting not to dig into. We tried not to determine whether or not she was guilty or innocent. The fact of the matter is that both sides had conflicting evidence, but Filler offered … it was everything, and Tufts declined to comment on 19 very specific questions we sent.

This is a deeper look into a complicated story that also contains lessons for startups in varying stages of existence. Read on.

For access to Whittaker’s full transcription and for the opportunity to participate in future conference calls, become a member of Extra Crunch. Learn more and try it for free. 

Eric: This is Eric Eldon, the managing editor of Extra Crunch, and with me today is Zack Whittaker, our security correspondent, who covers a wide range of security and hacking issues and a variety of things. Over the past year, he has been doing a deep investigation into a rather troubling case that has happened at Tufts University.

For the format today, Zack is going to tell us all about his approach for the next few minutes in his own words. Then he will open it up to questions for all of you on the phone as well as myself. So without further ado, I’ll let Zack get started.

Zack: Yeah, thanks a lot Eric, much appreciated. Big thanks to everyone who read the story. It took a long time to get this far. The story went out on Friday. It’s received a really good reception, very happy with it. I’m very tired, for what it’s worth. Yeah, this took a long time, weeks and weeks of talking to people, calling people, and trying to figure out exactly what happened here.

Even then, we still ended with more questions than answers. For anyone who read, this was a very deep story, a deep-dive story about a veterinary student, who was accused of hacking her grades. Tufts University pulls this student, her name was Tiffany Filler, out of her classes. She was still in her bloodied scrubs from treating patients, and faced several accusations from the university. Tufts said she systematically broke into several user accounts, modified permission access to those accounts, and changed grades of others.

The school says its IT department used extensive logs and database records to trace activity back to her computer, based off a unique identifier and a Mac address, as well as using other indicators, such as the network she was allegedly using, the campus’s wireless network, or her own off-campus residence.