California’s community college system is asking the state for $100 million to revamp its technology infrastructure to upgrade security and overhaul its application portal.
The request follows revelations that tens of thousands of fake student accounts were created to fraudulently attempt to obtain financial aid, submit applications across the system’s 116 colleges and in many cases make it through the application portal.
At least one district, the Peralta Community College District, has acknowledged that about $179,000 in aid was distributed to fictitious students, as was first reported by The Citizen, a student-run newspaper covering the district.
According to a memo submitted to Peralta’s district’s board of trustees, the district received 3,473 fraudulent applications as of Sept. 14. Of those applications, 75% were blocked from enrolling but the remaining 25% successfully enrolled in nine-to-12 units.
Monday’s vote on the budget request by the statewide board of governors followed a closed session of the board that lasted more than an hour, in which members received a report on the bot security breach. Pamela Haynes, board president, announced after the meeting that there was no action taken during the closed session. In an interview, Haynes declined to answer questions about what the trustees learned during the closed session, saying that part of the meeting was confidential.
An agenda item describing the closed session said: “Recent findings related to financial aid fraud attempts through the California Student Aid Commission are of grave concern. … This closed session would provide an opportunity for Chancellor’s Office staff to provide a confidential briefing to the Board of Governors regarding the progress of these efforts, lessons learned and action needed.”
The item also said that California’s open meeting law permits the board to enter closed session to consider “matters posing a threat or potential threat of criminal … activity against the personnel, property, buildings, facilities, or equipment, including electronic data, owned, leased, or controlled by the state body,” if public disclosure of the matters could compromise safety or security.
The U.S. Department of Education’s Office of the Inspector General is currently investigating the scam. The inspector general has also advised colleges across the country to be on alert for scam attempts.
What’s not clear is how many bot accounts have been successful in those scam attempts. Siri Brown, the vice chancellor of academic affairs at Peralta, told Peralta’s board of trustees last week that the $179,000 distributed via the phony accounts at that district “is small in comparison to what’s happening in many other districts.”
It’s unclear how many community college districts have disbursed aid to fraudulent students. A spokesman for Peralta on Monday did not immediately respond to a request by EdSource, asking which districts Brown was referencing.
The bots appeared focused on taking advantage of an unprecedented flow of federal dollars to college students.
The state’s community colleges have been disbursing emergency Covid relief grants to enrolled students since last year as part of the system’s $1.6 billion federal allocation for student grants. (California is getting the most aid of any state — $9.5 billion, with about $4 billion allotted to community colleges.)
About $270 million was distributed through the end of 2020 to more than 439,000 California community college students, including more than 56,000 who dropped out after receiving the grants, an EdSource analysis of the most recent federal data found. It is not known if any were fake students or how many students normally drop out.
It’s also unclear when the phony bot accounts first started getting through the system’s application portal, known as CCCApply. At least one college, Citrus College in eastern Los Angeles County, was alerted to fraudulent enrollment attempts as early as March of this year, according to the Citrus College Clarion.
Haynes declined to answer EdSource’s questions about the Peralta disclosure and whether the system has received notice from other colleges and districts about fraudulent applications and losses incurred, information that the chancellor’s office has asked colleges to provide. Rafael Chávez, a spokesman for the chancellor’s office, also did not say whether the system knows of other colleges that have disbursed aid to fraudulent students.
On Monday, the board of governors for the community college system approved its 2022-23 budget request, marking the first step in negotiations with state lawmakers and Gov. Gavin Newsom for next year’s budget. The request includes $100 million for “systemwide and local efforts focused on modernizing technology infrastructure and protecting sensitive data.”
Of that, $7.63 million would go toward an overhaul of CCCApply, the central application portal that many bots were able to bypass. Among the goals of the revamp, according to a summary of the budget request, would be to better detect fraudulent applications.
In July, the chancellor’s office installed anti-bot software in an attempt to reduce fraud on its application portal. As of earlier this month, that software had detected that 20% of traffic to the application portal was bot-related, and the software had stopped 15% of it.
Brown, the vice chancellor at Peralta, said during the district’s recent board of trustees meeting that despite the implementation of that software, the district is “still receiving fraudulent applications from CCCApply.”
Haynes, president of the system’s board of governors, said in an interview that the community college system had been eager to redesign its application portal even before it was aware of the bot attacks. But she added overhauling the portal would help to prevent further problems with those fraudulent applications.
“Anytime you have a system that bots or other bad actors are misusing, you have to try to address that,” she said.
More changes to the application portal will come this fall when the chancellor’s office plans to pilot multifactor authentication whenever a new account is created on CCCApply, said Chávez, the chancellor’s office spokesman. Multifactor authentication requires a user to provide additional proof to verify their identity beyond just their username and password.
Chávez added that modernizing the application portal “is only part of the solution” to the bot attacks. “Long-term, we need to invest in technology security and advancements, at the system and local level, continuously to keep pace with cyberthreats and growing sophistication of technology,” he said. “We are at a point where we are looking at technology updates as important as looking at facilities upgrades for safety purposes.”
The technology system overhaul also comes at a time when the community college system has been unable to generate enrollment data for fall of 2020 and spring of 2021. The college system has said colleges have had trouble counting students taking noncredit classes and students who started but did not finish independent study during those semesters.
In April, EdSource reported a severe drop in statewide community college headcount — the raw number of people taking classes. Within a month, the college system removed its enrollment and headcount data from the website. Different fall 2020 and spring 2021 data were restored to the site by July, but with the red-letter warning that the numbers, which are part of the system’s “datamart,” should not be relied upon.