What is exam result tampering or hacking?
Tampering with results is when someone takes a test, but after they take it, the results are changed or subverted, for example, to make someone pass who should have failed. This article considers the risks and prevalence of tampering with or subverting assessment results and how to prevent it.
Someone takes a test and fails it. Never mind, they say. I’ll just hack into the exam system and adjust the result to show I’ve passed!
Can it happen? Yes, rarely. Should it happen? Of course not.
If someone is able to tamper with or subvert test results, it materially impacts the value of the testing process. Other kinds of test fraud (e.g. proxy test taking, content pre-knowledge) are more common, but the impact of tampering with or subverting results is potentially very severe. What is the point of designing a quality test, putting a lot of energy into administering it fairly, only for the results to be subverted? And if tampering is possible or suspected, it reduces the credibility and value of test results.
This article looks at the risks of results being subverted in this way, gives some examples of where it’s happened in real life and suggests some practical steps for test sponsors and test vendors to take to make it less likely.
Some real world examples
Often, the fantasy of being able to hack into exam results and change the grades therein is just a fantasy but it does sometimes happen in reality too.
For example, in 2017, the FBI arrested a student at the University of Iowa. He had installed keyloggers on university computers and obtained access to professor names and passwords. This allowed him to change his own grades over 90 times over a period of two years, and he also changed the grades for five other students. He was sentenced to four months in prison in 2018.
Another example was found at the University of Central Florida, where students went into university computer systems and adjusted grades arising from test scores, for which a student was arrested.
A particular area of vulnerability is where exam scores are passed to external systems used for learning management or results reporting. Such systems may not be as secure as the examination system itself. For example, in 2018, some computer science students who failed a computer science exam hacked into a results display system and adjusted the results to show they had passed even though they didn’t. They were discovered because they were too ambitious, as faculty were surprised that some students who were very weak in some subjects managed to pass them. And because the college kept a backup of the results which were not hacked.
But don’t be fooled, exam tampering doesn’t only happen in universities.
The accounting firm Ernst & Young (EY) was fined US$100m by the U.S. SEC in the summer of 2022 for a whole series of issues with employees cheating at ethics exams.
Mentioned within the government order is an earlier cheating issue where there was a “flaw in the firm’s software that allowed professionals to pass CPE exams without the required number of correct responses”. According to the SEC, “This vulnerability allowed exam takers to achieve a passing score while answering as little as one question correctly. The firm’s investigation of this matter determined that from 2012 to 2015, over 200 EY audit professionals in multiple offices exploited this flaw to pass CPE exams”.
Even more concerning was an incident in India in 2020 where ten medical graduates applying for eligibility to practice medicine in India were found to have hacked into the server to adjust their scores from a failing to a passing grade by adding their names to the list of students who passed. Their hack was discovered but if it had not been, they might have been able to practice medicine without the right qualifications, resulting in devastating health and safety mistakes likely occurring.
Although tampering usually arises from test takers who seek shortcuts to the benefits that exam success brings, it’s also not always test takers who subvert exam scores. Teachers can be under pressure to produce good results and adjust scores too, illustrated well by a scandal in Atlanta some years ago where many teachers were found to have tampered with students’ exam papers by erasing incorrect answers and correcting them.
Another well-publicized scandal where administrators were at fault involved a situation where administrators for entrance exams to the Tokyo School of Medicine tampered with results by adjusting scores over a lengthy period. They did this for a variety of reasons, including making it harder for women to become doctors (due to prejudice that they would leave practice when they had children) and to favor selected candidates who had paid bribes for the privilege.
Where are the risk areas?
So, if you are trying to prevent the risk of tampering with exam scores, where are the risk areas?
It’s helpful to consider a typical process for scoring an exam, as shown in the diagram below. The test taker answers the question (1) and answers are stored (2), and then scored (3). There can be a review or adjustment process (4) and often scores are reported outside the examination system to an external system (5).
Where can problems creep in? There are three obvious areas: If the testing system itself is not robust, there can be threats around steps 2 and 3. For example, teachers in Atlanta were able to adjust answers because they had access to the paper exam sheets.
And in the EY example, it sounds like there was a weakness in the scoring system. So, a robust assessment platform is a necessity.
However, there is the added complication that there can be a genuine and practical need for results ‘tampering’. For example, some genuine causes to ‘tamper’ (or manage) exams after they occur might include:
- The need to remove a question from the exam if it is found to be poor quality.
- To deal with appeals.
- To resolve manual grading or errors in the exam process.
Of course, and as highlighted throughout this article, this genuine need to be able to edit an exam after the fact is a double-edged sword. If a system permits scores to be adjusted, there will always also be a risk of tampering for nefarious reasons (at step 4 in the diagram above) – either from a test taker somehow getting access to the adjustment software or by administrator malpractice. Lastly, the introduction of an external system used to manage and report results (step 5) introduces further risk. There is a threat that results can be subverted when passing the results from one system to the other. And the external system may itself have vulnerabilities that allow adjustment of scores.
Suggested good practices to mitigate test tampering risks
What good practices can test sponsors and those who create testing software follow to reduce the risk of scores being tampered with?
We suggest five key steps as follows:
- Use a secure assessment platform that has been audited by a third party.
- Ensure there is an audit trail of test taking activities.
- If scores can be adjusted, carefully secure the process.
- If exporting the results to another system, do so securely.
- Conduct periodic checks to confirm that scores have not been altered.
Here are some more details on each step. For each step, we include some commentary from our own professionals here at Questionmark and an extract from the ITC/ATP Guidelines for Technology-Based Assessment. These guidelines were written and reviewed by over 100 expert authors under the leadership of the International Test Commission and the Association of Test Publishers to provide guidance to those implementing assessments with technology.
|ITP/ATP guidelines reference
|Use a secure assessment delivery system that has been audited by a third party
|Anyone can claim or hope that their system is secure.
The key to effective security is to follow an IT security standard like ISO 27001 and to have one’s security regularly audited by a third party.
Questionmark is ISO 27001 certified as are most reputable assessment delivery providers.
|5.20 says: “Systems that hold test scores should have information security principles in place that are congruent with ISO 27001:2013, or similar security standards (e.g., the US NIST Cybersecurity Framework). Where possible, certification against ISO 27001:2013 is desirable”
6.9(g): Third-party review and certification of security processes and procedures should be conducted
for assessment systems and data.
Comments: For example, ISO27001 certification or SOC 2 attestation (or comparable).
|Ensure there is an audit trail of test taking activities
|It’s important that every step in the testing process is recorded or logged, so that if score tampering is suspected, an investigation or review can identify and demonstrate what has happened.
Such a set of records is called an “audit trail”. It means that if there is ever any question as to whether scores have been tampered with, one can go through the evidence to examine them. The audit trail itself must be protected from change and backed up. The Questionmark Coaching report is a useful tool for this very purpose.
|6.8(b): “A comprehensive time-stamped audit trail or log should be made of all activity conducted by the test taker and other actors in the testing process, including all changes to data stored due to such activity.”
|If scores can be adjusted, ensure the process is carefully controlled
|We’ve seen in some of the examples above, that test takers have occasionally managed to log in as administrators and change their scores. If there is a capability to change scores, restrict it to as few administrators as possible and use good cybersecurity measures (e.g. 2FA) to make it hard for others to impersonate.
It’s also recommended to have segregation of duties, so that perhaps one person approves a score change and another person implements it.
|5.14: “If scores are capable of being changed, measures should be taken to prevent tampering or unauthorized adjustments of scores, including an audit trail or logging system that records original scores and any changes. The audit trail should be protected from all changes and only available to authorized users.”
|If results are exported to another system, ensure they are done so reliably
|Testing systems are designed for robust and secure score handling. It’s quite common for a robust assessment management system (like Questionmark OnDemand) to be used to deliver an assessment, but then the results are passed into a learning management system (LMS) or other organizational system to manage or action the results.
LMS systems are designed to manage learning and are often more focused on enabling team development than secure measurement. They can lack the security controls an assessment system will have in place. Ensure that any data sent to such systems is securely passed (encrypted) and received accurately.
|6.9a “When transferring data between geographically separate computer systems (e.g., assessment device and server), use encrypted channels to prevent interception and tampering. Encryption should be strong and designed to meet applicable standards and used
for storing all personal data as well as confidential information.”
|Conduct periodic checks to confirm that scores have not been altered
|If scores are tampered with, it will usually be evidenced by score data being different in different places. This can be seen in some of the public news stories above.
For example, if scores are tampered with en route to or within an LMS, the original assessment results in the assessment system will still be correct.
It’s recommended to conduct periodic checks to compare scores in different places, particularly if using an LMS or other system to report scores.
|6.5 “Data quality should be managed commensurate with the stakes of the assessment to ensure accuracy, completeness, and consistency of TBAs.
Comments: Monitoring the following aspects of data quality is important because they may have a
direct impact on the validity, reliability, usability, accessibility, and auditability of assessment
Consistency: Periodic checks that data stored in multiple places within the organization agree.”
Score tampering is rare, but if it happens it subverts the entire benefit of testing. It’s important to put measures in place to make sure that it does not happen in your testing program.
This article has shared some public examples of where it has happened, mostly due to attempts by test takers to cheat but sometimes by administrator malpractice too. Safeguard your learning program from results tampering by following our five key steps outlined above.
And remember, we have a range of other resources tackling test fraud issues so be sure to take a look and check that your L&D efforts are not going to waste.
If you’d like to know more about how Questionmark’s online assessment platform can transform your tests and exams, talk to us today, we’d love to chat.