A Dawson College computer science student has been expelled after discovering the personal information of students could be uncovered using an academic online portal system across Quebec.
Hamed Al-Khabaz, 20, said he uncovered the site flaws while working on a school project for the software development club at the Montreal school. Al-Khabaz said he and a fellow student discovered the potential breach by accident.
"I was just trying to help and make sure our data was safe,” Al-Khabaz told CBC Montreal’s Daybreak.
While looking at the student portal's website, they discovered that by exchanging other student numbers in the encrypted links, they could easily obtain information such as the social insurance numbers, home addresses and phone numbers of more than 250,000 students.
Al-Khabaz said he informed the school’s head of information technology immediately after discovering the vulnerability in the school’s Omnivox software and was congratulated for the discovery.
Days later, Al-Khabaz says he ran a program to check if the vulnerabilities he discovered on the site existed, and almost immediately, he received a phone call at home from Skytech, the makers of the Omnivox software.
Al-Khabaz said the call was from Edouard Taza, the president of Skytech, who informed him that he had launched a cyberattack on the site that could result in jail time. He told Al-Khabaz to sign a non-disclosure agreement or face possible criminal charges, so Al-Khabaz signed.
'Attack' made portal unresponsive for users
Skytech released the following statement in response to Al-Khabaz’s test for site vulnerabilities:
“The attack … made the College Portal extremely unresponsive for its thousands of users. Had it not been countered, it would have put the College Portal out of order for the entire students and teachers population of Dawson. The attack was traced, and it turns out that it came from one of the students who participated, earlier that week, in the discovery of the security flaw. We therefore decided to be clement, and not to report the attack to the authorities.”
Dawson College then decided to expel Al-Khabaz for breaching the school’s code of conduct.
But Al-Khabaz said the school did not understand he was only trying to help.
"They don’t understand my intentions. They think I’m a threat, a criminal," he said.
Dawson College spokeswoman Donna Varrica sent CBC a statement saying the college stands by its original decision to expel Al-Khabaz.
Varrica clarified the process that leads to expulsion. She said the process includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned.
"When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student," Varrica stated.
Student union appeals expulsion
The Dawson Student Union is appealing for the school to reinstate Al-Khabaz.
"Hamed is a brilliant computer science student who simply wanted to help his school," said Morgan Crockett, the union’s director of internal affairs and advocacy.
"Dawson College should be thankful for his talent and foresight. They must immediately reinstate Hamed, refund the debt he has incurred as a result of his unjust expulsion and offer him a public apology."
Al-Khabaz said with an expulsion and a note on his permanent student record, he's concerned about being able to find another college willing to accept him.
"I really want to go back to school. I really love the teachers in computer science at Dawson College," he said.