Student employees in the records department at a northern California community college used privileged access to the school's enterprise resource planning (ERP) software to change classmates' grades in exchange for money and sex.
As many as 64 current and former students at Diablo Valley College (DVC) in California are suspected of paying up to US$600 per changed grade, reported US newspaper Contra Costa Times.
The cash-for-grades scam may have gone back as far as seven years to the year 2000 and also involved sexual favors in lieu of cash, according to Gary Fincher, the college's then-admissions and records director.
Using their access to the ERP software, a popular package from Datatel called Colleague, the scammers were able to fund trips to Las Vegas.
More than 100 people at DVC and its parent organisation, the Contra Costa Community College District, were allowed to directly make changes to grades at Diablo, the District's vice-chancellor for technology reportedly said.
Students believed to be involved have transferred to UC Berkeley and other University of California campuses. Grades at another Contra Costa member college were also changed.
"The only product a college produces is a transcript with grades on it," Fincher reportedly told the Contra Costa Times. "Once you lose that kind of credibility, how can they assume that any of these grades are right?"
A Datatel spokesman said Tuesday's news reports were the first the company had heard about the scam.
"We have not been told of any security problems with the software," said Peter Abzug, Datatel's director of corporate communications. "DataTel is not the issue."
Datatel's Colleague competes most directly with software from Sungard and Jenzabar, with many large universities opting for software from Oracle or one of its acquired firms, PeopleSoft.
Colleague is used by 740 colleges in North America, according to Abzug. That includes Diablo Valley and its parent organisation, the Contra Costa Community College District, who Abzug said continues to be a "happy" and "loyal" customer.
Abzug said the company had not been contacted by the District or the local prosecutor's office about its software. Colleague's security features are not in question, he said.
"Nobody gains access to any part of our system without permission to do so," he said. "This is not a situation involving weak code or loopholes in our software."
The District’s technology head says that as a result of the scam, the number of employees authorised to change grades has been cut to 11.
Even that number may be too high for Chris Rhoda, vice-president for information services at Thomas College. At the 650-student private college in the US state of Maine, only one employee - the registrar - has the ability to change grades after they have been first entered.
"Employees are your biggest security problem," he said.
While professors can directly enter grades into the database after logging into the network, they must submit paper copies for verification. Any changes require the registrar to be present, he said.
Thomas College uses web-based administration software that it built in-house and which is set to ensure the privacy of student records in other ways. Social Security numbers are by default not displayed when records are shown. Employees must deliberately choose to view the numbers, but are logged every time they do so, Rhoda said.