This kid is very very lucky. Obviously they violated the CFAA which carries severe criminal penalties. They engaged in actual hacking without any permission or defined scope. And they exploited the system without any responsible disclosure process.
Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK, and the school will laugh it off, and you'll be seen as an adorable Matthew Broderick type Wargames character. I can't overemphasize how far this is from the truth in 2021.
Absolutely do not access systems you are not allowed to. If you do want to do penetration testing, you need permission from the systems owner and a clearly defined scope. And when you do find issues, you don't exploit them, you responsibly disclose them within a clearly defined framework.
If you want to end up with a criminal record that will profoundly effect the rest of your life, including your career prospects and ability to travel internationally, then by all means, do what this guy did.
I wish it wasn't so. It never used to be. But this is how it is now. Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board or management team to trigger a disastrous outcome in stories like this.
If this went to court, the charges of malicious intent would likely not stick, so jailtime could likely be avoided in leu of fine/community service.
Competent tech companies will not give a shit about criminal record of this nature.
Expulsion from school is pretty much irrelevant, especially for CS careers. You can get a GED, find any college with CS program that will take your money, spend a year having fun, apply for an internship at a tech company, do a good job to be offered a return, talk to HR to go directly into entry level role, and you are set (have personally seen 2 cases of this happening with an intern).
The most functionally harmful thing would be monetary cost, which is still inconsequential considering the salary this guy would make.