Sabotage of student records at a Sydney university exposed serious weaknesses in NSW public universities' computer systems, an independent commission has found.
The Independent Commission Against Corruption (ICAC) called for tighter security around student administration systems, after an investigation into the conduct of officers and students at University of Technology Sydney (UTS).
The report alleged former UTS graduate student adviser Toto Sujanto corruptly used a computerised student record system to wipe failed subjects off nine separate students' records, in exchange for money and favours.
ICAC alleged Sujanto used another staff member's log-on ID and password to gain access to the computerised student administration system (SAS) user pool - a term that refers to a level of access -- not relevant to his responsibility. Sujanto allegedly then modified academic records from failed to cancelled. If undetected, these changes would have resulted in the deletion of failures from the students' academic records and loss of fees for the university, according to ICAC.
In a statement ICAC Commissioner Irene Moss said the investigation uncovered the vulnerability of computerised student record systems at UTS and other universities.
During the investigation, ICAC surveyed nine other public universities in NSW to determine if they were exposed to the same corruption risks as UTS.
The survey found student record systems were flawed because no full audit trails existed. The survey also found access to SAS pools were not carefully monitored despite the fact that students, who are also employed by the university, can modify or create student records.
In its report, ICAC detailed a series of shortcomings, both technical and procedural in nature, in the UTS student administration system, including failure to monitor access levels, ignorance of the level of access that each SAS pool provides and poor password security. UTS failed to adhere to its IT security policy, according to ICAC.
The university was not able to provide further detail on SAS or the software involved at the time of going to print; however, registrar Jeff Fitzgerald said in a statement that UTS has already implemented the major recommendations of the ICAC reports.
"When this matter came to light, UTS employed PricewaterhouseCoopers to audit the university's student administration system and establish measures to increase the security of student records," Fitzgerald said.
"In addition, we have used this matter as an opportunity to ramp up our security with a range of work processes that will streamline student administration and make staff responsibilities very clear."
As well as calling on universities to critically review their student record systems, Moss said recommended ICAC chair a universities' working party to look at a sector-wide approach to building corruption resistance in all NSW universities.
"Tighter security of student records is essential to guarantee public confidence in university qualifications," she said.