"Foolish" university hacker jailed after selling exam papers to fellow students

A former student at the University of South Wales has been sentenced to 20 months in prison, after hacking into the institution's computer systems and selling the answers to exam papers for thousands of pounds.

As BBC News reports, 29-year-old Hayder Ali Jasim (sometimes known as Hayder Aljayyash), was studying for a master's degree in embedded system design at the University of South Wales when he succeeded in gaining unauthorised access to examination papers, coursework, marking and reports.

During lectures in the university's engineering and computer science faculty, Jasim deployed keyloggers that secretly recorded keypresses, and stored them in a file.  In this way, he was able to steal the passwords of university staff.

Between November 2018 and May 2019, Jasim was said to have used the stolen credentials to log in more than 700 times, downloading 216 files.

Jasim monetised the stolen information by working working alongside his fellow student and housemate accomplice, 30-year-old Noureldien Eltarki, who sold copies of the exam papers and answer sheets to students for thousands of pounds.

The hack was only discovered when mathematics lecturer Liam Harris noticed that a number of students had made spelling errors in their answers which matched mistakes the lecturer had made himself on his official answer sheet.

A subsequent investigation into the suspected cheating revealed that login accounts belonging to 17 members of staff had been compromised, and an IP address was linked to a property not far from the university's campus.

Police arrested Jasim on May 30 2019, and computing equipment and £17,000 worth of cash were seized at the property.  A significant amount of stolen university data was subsequently found on the computers found at the address which Jasim shared with Eltarki.

In an interview with the police, Eltarki confessed that he had sold exam scripts to students for as much as £6,500 - with most of the proceeds going to Jasim.

The court was told that the university's investigation into its data breach, and the subsequent new security measures it had introduced, had cost it over £100,000.

That's clearly a lot of money for any educational organisation to find itself having to spend unexpectedly - but I think it's incorrect to link that entirely to the hack.  After all, the university should have had better security systems in place regardless of whether it had suffered a security breach or not.   In short, the university would have clearly needed to invest more seriously in its IT security and harden its defences sooner or later.

Jasim's defence team said that he had "acted foolishly" but said that he accepted responsibility for what he had done:

"He is thoroughly ashamed of himself for his behaving as he did and he realises his behaviour was extremely selfish and wrong."

Judge David Wynn Morgan sentenced Jasim to 20 months in prison for the hack.

Eltarki pleaded guilty to money laundering and transferring criminal property, and was given a nine months prison sentence suspended for 24 months, He was also ordered to carry out 200 hours unpaid work and a six-day rehabilitation activity.