The punishment doesn't fit the "crime". These students didn't "hack". All they did was modify the URL in their browser and read their admission results. This is like changing www.fastcompany.com/index to www.fastcompany.com/pictures to see if anything is there (there isn't).

Who to hold accountable?
- With the students: Partially. But all they did was find answers earlier than b-schools desired. This doesn't warrant non-admission.

- The hosting company who didn't implement basic security measures: Greatly.

Punish the hosting company, not the students.

The prospective students had to be logged in for this to work. In other words, the system explicitly gave them access to that page. It's not like they gained accidental access to the university check distribution system. They got access to their own admission status a week or two earlier than the school intended. Big deal.

The real question the alumni of these schools should be asking is why are the schools paying big bucks to outsource an application that an undergrad programmer could hack together in a week?

Because creating and maintaining a professional, sustainable software development group is not an easy thing, and not many people who are qualified for the other parts of IT leadership at a university can do it.

Which, incidentally, is the same reason that businesses exhibit precisely the same behavior. The ones that put a good internal software dev team together have a big advantage, but it isn't a gimmee.

How about the ethics of reporting without questioning of this grossly stupid behaviour by these academic institutions?

While I will agree that the ASP should certainly be held accountable, those students knew that what they were doing was accessing information that the univeristy didn't want them to have. Is a burglar not guilty of theft because you left your front door unlocked?