Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw.

"All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."

These types of situations are probably more apt to be available for much longer than two weeks.  The concept of least privilege means that not everyone with a District Password should have had access to priveleged information.