A Carleton University student came forward Tuesday and admitted to school authorities that he was the one who hacked into student e-mail and financial files.
The school won't name the student but confirmed he is an undergraduate math student. He accessed the accounts of 32 students, by logging in to their e-mail accounts and what's called a Campus Card - a swipe card used as both a security pass and debit card on campus.
The hacker said he broke in to the school's computer system to show a flaw in campus electronic security, which serves almost 30,000 users on the university's network. The student said he used a hidden program to gain passwords to access the files. He then sent a detailed report to the school outlining what he did.
Incident leaves students alarmed
Brittany Smyth, president of Carleton University's student association, said the incident is alarming and disappointing: "I think it's going to be a little bit of a shock to some students because a lot of people rely on it and now it kind of is a little scary."
Several other students agreed, telling CTV Ottawa that e-mail and campus cards are two key systems for campus life and any possibility of them getting breached is a serious concern.
"There's a lot of personal information that you can keep on your e-mail and . . . I'm kind of scared that people can hack in to it so easily," said one student.
"Of course it's a concern to me. It's a way that professors and students correspond with each other, as well as students themselves," said another.
Common attack
The type of attack pulled at the university is not uncommon, though. A security specialist for an Ottawa computer firm told CTV Ottawa his company sees this type of attack all the time and the incident is proof the school needs to review its computer security.
"A university perhaps has one of the most challenging environments in terms of the number of users that are within the perimeter," said Bill McGee of security firm Third Brigade.
Student to be disciplined
School spokesperson Christopher Walters said the student is co-operating fully but a discipline committee will have to decide if the university goes ahead and expels him. Ottawa police, however, say simply accessing the accounts of other students is a criminal offence.
In the meantime, Walters said he wants to assure students that all personal information is, in fact, safe and the breach has since been fixed.
"We'll certainly be looking at the campus card and there are options out there but you know technology is a moving goal post and trying to keep up with it is very challenging. But, we want to reassure our students that the university is confident that their personal information is not in jeopardy through the campus card system."
With a report from CTV Ottawa's Paul Brent