Dawson College Student Hamed Al-Khabaz Finds Security Flaw, Gets Expelled

A Montreal student was expelled from college after finding a serious security flaw in his school's computer system used by most Quebec General and Vocational Colleges.

Hamed Al-Khabaz, a 20-year-old Dawson College student, was developing a mobile app when he discovered "sloppy coding," which would allow "anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

Al-Khabaz told the Toronto Star it could've affected more than 250,000 Quebec students. He reported it to the school's Director of Information Services and Technology and was told the company that made the software, Skytech, would quickly take care of it.

A few days later, Al-Khabaz decided to check to see if it was fixed with a software program called Acunetix, the National Post reports. He got a call from Skytech president Edouard Taza accusing Al-Khabaz of a cyber attack. Al-Khabaz apologized and tried to explain that he wasn't doing anything malicious.

Gizmodo summarized what happened next:

Al-Khabaz apologized, and eventually signed an NDA forbidding him from discussing the case, but that wasn't the end of it. Despite the Skytech people acknowledging that there was no malicious intent, Dawson's faculty held a vote on whether it should expel him for "unprofessional conduct." Al-Khabaz was not allowed to speak on his own behalf, and 14 of 15 professors voted to expel him—rendering his grades for the semester zeroes across the board. Two motions for appeal have been turned down.

Dawson director general Richard Filion told the CBC the school had no choice because Al-Khabaz was "guilty in a criminal act," though the college hasn't contacted police.

A statement posted on Dawson's website stands by the decision to expel Al-Khabaz, but added, "Under the terms of Quebec privacy laws, it is illegal to discuss the details of student files with individuals or with the media."

The Dawson Student Union is working to try to get Al-Khabaz reinstated. An online petition currently has 7,656 signatures from around the world in support of him.

Al-Khabaz told the National Post he had been "acing" his classes, but now his dream of getting a computer science degree seems unobtainable.

"I really want this degree, and now I won’t be able to get it," Al-Khabaz said. "My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.”



The "First" Colleges