Executive Summary

Background

At significant cost, Chariot developed WebTest, a proprietary, Internet-based assessment system. The University of Phoenix (UOP) entered into an agreement with Chariot whereby Chariot would provide use of WebTest for purposes of delivering placement tests to all enrolling UOP students and end-of-program exams to graduating UOP students.

The WebTest system was used by all UOP campuses and delivered in excess of 125,000 placement and end-of-program exams.

The Business Relationship

The agreement between UOP and Chariot was for the use of Chariot’s proprietary system. Chariot provided 7/24 hosting and system support services. UOP paid a monthly fee for the services provided by Chariot.

What UOP Did

During the term of the agreement, the University of Phoenix retained a Phoenix-based company, Intrasight, (formerly known as Veleo, formerly known as Momentum Interactive) to develop a system that would replace Chariot’s proprietary system. Intrasight had no prior experience in the development of Internet-based assessment systems.

Without the knowledge or consent of Chariot, UOP employees of provided Intrasight personnel with the security codes necessary to gain access to the Chariot system’s administrative module. The log in ID and password provided by UOP to Intrasight was at the highest level of access available to a client — an access level assigned by Chariot to only 4 employees of UOP. One or more of these UOP employees supplied Intrasight with the log in ID and password necessary to access Chariot’s WebTest system.

The 4 persons at UOP who were granted the access level were:

  • Dr. Elizabeth Tice, former UOP Vice President and Dean of General Studies
  • Mary Alexander, Assistant to Dr. Tice
  • Heather Miller, Assistant to Mary Alexander
  • John Couillard, Information Technology

The principals of Intrasight include:

  • David Tedesco
  • Stuart Clapick
  • Allan Henry

Upon discovery of the intrusion, an extensive forensic analysis was performed on Chariot's server log files. That analysis proves beyond any doubt that:

  • Intrasight illegally intruded into Chariot's web servers during a 6-month period in 2002.
  • Intrasight gained access with security codes provided by UOP personnel.
  • Intrasight spent a substantial amount of time accessing the architecture, functionality and capabilities of Chariot's system.
  • On numerous occasions, up to three computers with Intrasight's IP address simultaneously intruded into Chariot's system.
  • On several occasions, Intrasight computers and UOP computers, simultaneously, were found to be performing the exact same transactions and looking at exactly the same information generated by the system.
  • Intrasight spent a considerable amount of time downloading the Chariot system's on-line help files. This is significant because the help files fully explain not only the specific operation for which help was requested, but also the rationale for that specific operation.
  • Intrasight copied on-line web page code from copyrighted Chariot System pages. The copied code was then employed in the replacement system developed by Intrasight.
  • When Intrasight implemented their replacement system on UOP servers, the copied code directed UOP students to Chariot's servers to access test items.
  • Log files indicate those illegal intrusions directed by UOP web servers continued for 5 months beyond the expiration of the service contract.

Newspaper Articles:

Websites: