A Carleton University student who stole passwords and financial data from other students to expose security holes in the university's identification card system could face expulsion or even criminal charges after turning himself in to campus officials.

The student will appear before a university disciplinary committee, said university spokesman Christopher Walters, and his punishment could range from community hours on campus to expulsion.

Meanwhile, a police investigation is trying to determine whether criminal activity occurred during the incident, Walters said.

"It's a very serious offence to break into a university's computer system, take the identities of 32 individuals, put those in a paper and distribute them pretty widely," he added.

The student, who went by the alias Kasper Holmberg, said he stole the data and revealed how he stole it in order to demonstrate the cards were not secure.

He was tracked down through e-mails he sent through the university's computer network.

Once campus security found him, he turned himself in and handed over the materials he used to hack into the system.

"We had a very good idea how he did it," Walters said. "Now we've confirmed how he was able to break into our network system."

Holmberg was questioned by staff and then released.

Apology to victims

Students whose information was stolen said they received an e-mail from Holmberg Tuesday apologizing for involving them.

Holmberg stole data from the campus identification cards of 32 students by installing special software he wrote onto a terminal in a campus computer lab.

Each card has a barcode and a magnetic stripe and can be loaded with cash to make purchases on campus. It contains data such as the student's identification number, computer and e-mail login name and password, and library card number. It can also be used to unlock doors to three campus buildings, including two residences.

On Monday, Holmberg e-mailed the students a 16-page document that revealed how he stole the data. It informed the students that the cards had "insufficient safeguards against information leakage" that could lead to identity or financial fraud and recommended that Carleton stop using the card in its current form.

He had e-mailed the same document to Carleton University officials on Aug. 29.