I don't see the point in bringing the legal hammer down on a student. With security holes this large and gaping, it's the system administrator that needs to change the way they do things. For instance, monitor the creation of new admin accounts, monitor logged data for events that indicate a breach, enforce some level minimal password difficulty, etc. This sort of malfeasance seems like _exactly_ what the sysadmin at a school should be expecting. Someone who waltzes up to the login prompt and types the first thing that comes to mind.
Personally, I don't think this or anything close should be made illegal. Who was hurt? What was the damage and the cost? Private data was likely at risk, and maybe there's a case to be made there, but I'm not entirely convinced that shouldn't be laid at the feet of the organization for shoddy security practices.
Personally, I don't think this or anything close should be made illegal. Who was hurt? What was the damage and the cost? Private data was likely at risk, and maybe there's a case to be made there, but I'm not entirely convinced that shouldn't be laid at the feet of the organization for shoddy security practices.