I remember in high school poking around a network drive until I found an executable with the name "SEND" in the name. I had a sense that it would send some kind of message somewhere, but I honestly didn't know where or to how many people. I was quite surprised when all the screens in our computer lab froze and, five seconds later, my message appeared on all of them. (I later learned that my message appeared on every desktop screen in the school!)
I'm not sure exactly how they found me out, but I was called into the IT admin's office a couple of days later. She was furious with me. I told her the truth. I didn't know what exactly would happen when I ran that command, but she didn't buy it. Fortunately, nothing ended up happening after that.
I've wondered to this day what exactly they could have done to me if they decided to press whatever legal authority they might have had to its fullest extent. I was never told "don't go to Z:\" or "don't run any program other than those on this list." Even after I was found out, I wasn't ever explicitly told that my actions constituted unauthorized access.
It was a different, perhaps more innocent (or ignorant) time back then. How much have things changed now?
I didn't think much of it, but some other students caught wind. Before I knew it, the superintendent threatened to have the police involved and press legal action for "hacking confidential student data."
It's CYA all the way, usually at the expense of the person in the chain least equipped to cover their ass (the student).
I'm guessing that they never told you "don't browse this network drive"?
Personal pet peeve:
Your high school is not a covered entity and is not acting as a business associate of a covered entity. HIPAA does not apply. They are free to keep a plaintext file with your name, nut allergies, COVID vaccination status, and anything else they want to put in there - without HIPAA entering into the discussion.
FERPA could apply, but I don't know much about that.
A week later, police escorted me from my dorm and both I and the other student were eventually expelled and threatened with harsh legal action, which never came.
[1] The "high school" was an early-entrance-to-college program where we started college at 16, lived on campus, took the normal freshman/sophomore college courses, and eventually received a high school diploma and an Associate of Science when we graduated at 18. The website was for the school I attended, but the SQL dump included all of the university students as well. The school has since shut down.
Seriously, I found a state website that appeared to be exposing NPI about certain people in an API response. So much NPI nicely formatted in a JSON response. I closed the page and never touched it again. You know the state will declare me a dangerous and sophisticated hacker because I pressed F12 to open the developer tools, that's much easier than admiring they made a mistake.
That said, I did know a kid that had charges pressed against him when I was in school so things weren’t necessarily innocent back then either. He was admittedly an idiot and borderline malicious though.
* SEND happened
* Minor kerfluffle ensued among various functionaries
* Big Boss worried that something Big was going on
* IT admin was questioned and had no answers
* Simmer for a few days, Big Boss repeating questions and IT admin being flummoxed
* Eventually adequate logs are found and correlated that place you as the likely responsible party
* IT admin is lathered up about a big nothing because Big Boss keeps asking and their competence is in question
* IT admin unleashes the pent up frustration of a few days of stupidity and job security uncertainty on you, and is not satisfied that all this drama was initiated by boredom and not malice
* IT admin reports to Big Boss, who basically brushes it off because they have moved on to other things -- and at the end of the day knows they run an organization filled with kids, some of whom are more curious than others
* Issue disappearsWasn't a regular MS user, but we were in a computer training lab at a company for "computer day" field trip. Was bored during instructions, so naturally I logged in, found "net send", and sent a few crank messages to classmates using * as destination. Everyone, including the instructor, got a good laugh.
Approached later in day by corporate IT. Apparently the lab had poor routing rules, no firewalls, and sat on the main Corp network. My messages were received on 25,000 terminals.
Thankfully, they recognized this as (a) harmless, and (b) their own lax failure. No adverse outcome.