Last fall, a 20-year-old computer science student named Ahmed Al-Khabaz at Dawson College in Montreal was building a mobile app with a friend to allow their classmates to more easily access their college accounts when they came across a bit of “sloppy coding” in the university’s computer system. The security flaw, he told Toronto’s National Post, would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”
And this particular computer system wasn’t just being used at Dawson. The flaw exposed the data of 250,000 students across Quebec. Al-Khabaz duly reported it to the administration. A week later, he decided to run a software test to see if it had indeed been fixed. That’s where his life took an unexpected tailspin: The software company contracting with the university called him, threatened him, and made him sign a non-disclosure agreement. Then the computer science department voted 14 to 1 to expel him for “unprofessional conduct.”
After Al-Khabaz’s ordeal was reported in the National Post on Monday, the company, Skytech, turned around and offered him a job. But the college is standing by its decision. Al-Khabaz maintains he was a white hat the whole time. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”
It seems that Canadian universities, like many businesses and agencies worldwide, need to take a closer look at their data security. In November a lost hard drive exposed the information of over half a million Canada Student Loan borrowers, a misstep that’s leading to a class action suit.