You can see a story with more details at
http://www.charlatan.ca/index.php?option=com_content&task=view&id=20410&Itemid=148 .
He put a keylogger on a random e-Kiosk PC in one of the campus buildings. These PCs provide 20 minutes of web access per login so that students can check e-mails/surf the web briefly. There's nothing white-hat about this, unless it was done in a proof-of-concept manner, but he _DID_ collect user information.
The login/password combos he would have keylogged let a student into the myCarleton portal (http://connect.carleton.ca), which is just a glorified front-end for their email. All student account information (awards, fees, course registration) is held on a separate server,
http://central.carleton.ca./ This becomes a more serious problem, since once you enter into the "secure" myCarleton portal, you can click a tab called 'Carleton Central', which bypasses your need to use a separate login to view your student account information. They have purposely removed a level of security for convenience to the lemmings.
As for the campus card data, I've never put my campus card through a card reader, but all campus card transactions are approved via a centralized server somewhere. Again, not sure what this kid was trying to prove, but if all he wanted to demonstrate was that he could sniff campus card data, again he overstepped his boundaries.
He sent everything anonymously to Carleton Administration and the students whose data was compromised, but this was also where he tripped up, "his account log-in was embedded in the electronic document he sent out" from
http://www.cbc.ca/canada/ottawa/story/2008/09/11/ot-carleton-080911.html . If you google this persons name, he is rather involved in the Gentoo Security mailing lists.
